Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Frank (thran60hotmail.com)
Date: Mon May 06 2002 - 05:13:37 CDT
('binary' encoding is not supported, stored as-is)
b2 0.6pre2 and earlier.
B2 is a php script which allows webmasters to quikly post
news on the frontpage and let viewers interact with
eachother. A bug exists in the scripts which allows an
attacker to remotely execute commands.
Taken from /b2-include/b2edit.showposts.php
But since b2config.php does not exist inside the directory,
an attacker can define $b2inc himself.
So if the attacker creates a file on his server, for
example www.attacker.com , called b2functions.php, and he
writes the following in it :
(note : the attacker's server must not be able to run php,
it has to open the file as text)
he can include the file like this :
This would execute the ls command on vulnerablehost.com.
Copy b2config.php into the b2-include directory
The vendor has been warned, and already released the same
fix a few days earlier.