lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <000901c3409b$84d95510$5e94cb51@angie>
Date: Wed, 2 Jul 2003 15:11:36 +0200
From: "FraMe" <frame@...palab.com>
To: <bugtraq@...urityfocus.com>
Subject: Greymatter v1.21d: Remote PHP command injection/execution.


Product: Greymatter v1.21d
Vendor: Noah Grey - GreySoft
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. How to exploit it?
4. Impact.
5. Patch.
6. Vendor Response
7. Greetings

1. Overview.

Greymatter is a news/weblog tool written in PERL. Greymatter uses html files
as backend system.

2. Description.

Greymatter v1.21d was released to patch a php injection vulnerability (
http://www.securityfocus.com/bid/7055 ) in comments system. It check if
exists tags: "<?" and "?>", but it doesn´t check if exists tags: <script
language="php"> or "<%" (asp style: default is off).

3. How to exploit it?.

Easy, in name, email or url fields, a user can input for example:

<script language="php">PHPCOMMAND;</script >

Note: Blank space in </script > is necessary; avoid other checks.

4. Impact

If comment file is parsed by PHP produces remote php ejecution, usually with
web server privileges.

5. Patch

sub gm_htmlspecial {

# Convert "<"
$IN{'newcommentbody'} =~ s/</\&lt/g;
$IN{'newcommentauthor'} =~ s/</\&lt/g;
$IN{'newcommentemail'} =~ s/</\&lt/g;
$IN{'newcommenthomepage'} =~ s/</\&lt/g;

# Convert ">"
$IN{'newcommentbody'} =~ s/>/\&gt/g;
$IN{'newcommentauthor'} =~ s/>/\&gt/g;
$IN{'newcommentemail'} =~ s/>/\&gt/g;
$IN{'newcommenthomepage'} =~ s/>/\&gt/g;
}

Note: gm-comments.cgi patched can be downloaded from:
http://www.kernelpanik.org/code/kernelpanik/gmc.zip

6. Vendor Response

02/07/03: Post in greymatter support forum.
                Send to bugtraq.

7. Greetings

Fermín J. Serna <fjserna at ngsec.com> (aka Zhodiac)

==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ