Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: Tue Aug 13 2002 - 12:36:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Security Advisory: Multiple Vulnerabilities in CafeLog Weblog Package

    Additional Details: http://www.murphy.101main.net/vulns/2002-26.txt

    Issue: Multiple vulnerabilities -- the most serious could allow malicious
    users to execute commands against a web server running the vulnerable

    Risk: Critical

    Scope: Command execution, database manipulation, and
    cross-site scripting

    Affected software: CafeLog b2 Weblog Tool 2.06pre4 confirmed;
    others likely

    Technical Description

        Numerous serious vulnerabilities exist in the "b2" weblog tool by
    CafeLog. Numerous variables are not properly initialized or sanitized,
    allowing for several unsafe actions.

        There are numerous cases of small bits of data being echoed back
    to the browser from variables that can be remotely set by a GPC
    variable. This enables a simple cross-site scripting attack.

        Further, there are several cases where the "tableposts" variable is
    used without proper sanitation. If the machine does not have the option
    "magic_quotes_gpc" enabled, an SQL injection attack can be levied
    against the backend database. However, this may be hampered by
    reported bugs in the PHP mysql_query() function (it only completes
    the first query in a series) that prevent multiple queries from being

        Also, the variable "b2inc" is used as a portion of an include file
    path --
    if this variable is set via GPC, commands can be executed or arbitrary
    code disclosed.

        There are significant mitigating factors to both the SQL injection
    and command-execution vulnerabilities. The SQL injection flaw can
    only be exploited if magic_quotes_gpc has been disabled. The SQL
    injection may be further hampered by an issue in the PHP mysql_query()
    function -- it only executes one query at a time.

        Further, the command execution should be limited to the rights of the
    PHP user, barring exploitation of additional vulnerabilities. On Unix,
    this should be nobody/nobody. On Windows NT/2000/XP, this may
    be the privileges of the IIS Internet Web Account Manager (IWAM),
    equivalent to a guest user. On other NT servers, this will be a similar
    low-privileged account.


    Enabling magic_quotes_gpc eliminates the SQL injection and file reading

    Disabling allow_fopen_url eliminates the command execution vulnerabilities

    However, the cross-site scripting vulnerabilities must be eliminated by a
    patch to the application.

    "The reason the mainstream is thought
    of as a stream is because it is
    so shallow."
                         - Author Unknown