Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Frank (thran60hotmail.com)
Date: Mon May 06 2002 - 05:13:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Site: www.cafelog.com

    b2 0.6pre2 and earlier.

    B2 is a php script which allows webmasters to quikly post
    news on the frontpage and let viewers interact with
    eachother. A bug exists in the scripts which allows an
    attacker to remotely execute commands.


    Taken from /b2-include/b2edit.showposts.php
    include_once ("b2config.php");
    include_once ($b2inc."/b2functions.php");
    But since b2config.php does not exist inside the directory,
    an attacker can define $b2inc himself.
    So if the attacker creates a file on his server, for
    example www.attacker.com , called b2functions.php, and he
    writes the following in it :
    (note : the attacker's server must not be able to run php,
    it has to open the file as text)
    he can include the file like this :
    This would execute the ls command on vulnerablehost.com.

    Copy b2config.php into the b2-include directory

    The vendor has been warned, and already released the same
    fix a few days earlier.