106475 2003-07-03  00:07  /78 rader/ FraMe <frame@hispalab.com>
Importerad: 2003-07-03  00:07  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5394>
Ärende: Greymatter v1.21d: Remote PHP command injection/execution.
Product: Greymatter v1.21d
Vendor: Noah Grey - GreySoft
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org


1. Overview
2. Description.
3. How to exploit it?
4. Impact.
5. Patch.
6. Vendor Response
7. Greetings

1. Overview.

Greymatter is a news/weblog tool written in PERL. Greymatter uses
html files as backend system.

2. Description.

Greymatter v1.21d was released to patch a php injection vulnerability
( http://www.securityfocus.com/bid/7055 ) in comments system. It
check if exists tags: "<?" and "?>", but it doesn´t check if exists
tags: <script language="php"> or "<%" (asp style: default is off).

3. How to exploit it?.

Easy, in name, email or url fields, a user can input for example:

<script language="php">PHPCOMMAND;</script >

Note: Blank space in </script > is necessary; avoid other checks.

4. Impact

If comment file is parsed by PHP produces remote php ejecution,
usually with web server privileges.

5. Patch

sub gm_htmlspecial {

# Convert "<"
$IN{'newcommentbody'} =~ s/</\</g;
$IN{'newcommentauthor'} =~ s/</\</g;
$IN{'newcommentemail'} =~ s/</\</g;
$IN{'newcommenthomepage'} =~ s/</\</g;

# Convert ">"
$IN{'newcommentbody'} =~ s/>/\>/g;
$IN{'newcommentauthor'} =~ s/>/\>/g;
$IN{'newcommentemail'} =~ s/>/\>/g;
$IN{'newcommenthomepage'} =~ s/>/\>/g;

Note: gm-comments.cgi patched can be downloaded from:

6. Vendor Response

02/07/03: Post in greymatter support forum.
                Send to bugtraq.

7. Greetings

Fermín J. Serna <fjserna at ngsec.com> (aka Zhodiac)

[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
(106475) /FraMe <frame@hispalab.com>/-----(Ombruten)