Bugtraq mailing list archives
Re: b2 cafelog 0.6.1 remote command execution.
From: Cheng-Jih Chen <cjc () cjc org>
Date: Mon, 2 Jun 2003 10:59:10 -0400 (EDT)
On Fri, 30 May 2003, mike little wrote:
Secondly, has anyone tried this? The fact is that b2config.php defines $b2inc with no test before hand. So that, whilst for the duration of the parsing of b2config.php, $b2inc could indeed be set to some value from the outside world. It is immediately overwritten with no check with the value set by the user (or left from the defalut installation). In order to effectively use the setting of b2inc for malicious purposes you would have to have enough access to edit b2config.php.
The problem is that the default location for gm-2-b2.php is in the b2-tools directory. The include("b2config.php") statement may then miss the primary b2 directory and fail to pick up b2config.php. If register_globals is on, then the attacker can set the b2inc variable from the URL.
Current thread:
- Re: b2 cafelog 0.6.1 remote command execution. mike little (Jun 01)
- Re: b2 cafelog 0.6.1 remote command execution. Cheng-Jih Chen (Jun 03)