b2 cafelog: remote command execution, sql injection and another flaw.

["FraMe" <frame () hispalab com>]

Products:    b2 cafelog 0.6.1 with ljupdate
                  b2 cafelog 0.6.2 and prior
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. Details.
4. Vendor Response

1. Overview.

b2 is a news/weblog tool written in php. b2 uses MySQL as backend system.

2. Description.

"b2 0.6.1 with ljupdate" allow remote command execution in
./b2-include/b2functions.php. A malicious user can inject an url in $b2inc,
and obtain command execution with web server privileges ( usually nobody ).

"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isn´t
convert to integer, so we can inject a sql in this variable. In MySQL 4.x
UNION and subselects can be used to obtain privileges.

"b2 0.6.2 and prior" has a little flaw. Bored users can force server to read
a remote file using $b2inc in ./b2-include/b2menutop.php

3. Details

b2 0.6.1 with ljupdate.
from ./b2-include/b2functions.php:
=======================
<?php
(..)
require_once($b2inc."/lj_update.php");
?>
=======================

b2 0.6.2 and prior
from ./blog.header.php:
=======================
<?php
(..)
if ($posts)
 $posts_per_page=$posts;
(..)
$limits = ' LIMIT '.$posts_per_page;
(..)
$request = " SELECT $distinct * FROM $tableposts WHERE 1=1".$where." ORDER
BY post_$orderby $limits";
(..)
$result = mysql_query($request);
?>
=======================

b2 0.6.2 and prior
from ./b2-include/b2menutop.php:
=======================
<?php
(..)
$menu = file($b2inc."/b2menutop.txt");
(..)
?>

4. Vendor Response

20-04-2003: Sent email to vendor.
31-05-2003: No response.

==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================