b2 Weblog Software Uses Relative Include Path That Allows Remote Users to Execute Arbitrary Shell Commands on the System
SecurityTracker Alert ID: 1004223|
SecurityTracker URL: http://securitytracker.com/id/1004223
(Links to External Site)
Date: May 7 2002
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): b2 0.6pre2 and prior versions|
A vulnerability was reported in the 'b2' news forum software. A remote user can execute arbitrary commands on the system with the privileges of the web server.|
It is reported that the /b2-include/b2edit.showposts.php script uses a relative definition for the b2functions.php include statement. Because of this, a remote usre can define an alternate path for b2functions.php, including one on a remote server. The file can contain malicious code, such as:
The author of the report notes that the malicious file on the remote user's malicious server must be rendered by the remote server as text, not as PHP.
The following demonstration exploit URL that will execute the 'ls' command on the target host is provided:
A remote user can execute arbitrary shell commands on the server with the privileges of the web server.|
The vendor has described the following fix:|
Create a file named b2config.php and upload it in your b2-include folder. According to the vendor, the file can be blank or be a copy of your original b2config.php file, it apparently doesn't matter.
Vendor URL: www.cafelog.com/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
|Underlying OS Comments: PHP-based|
Source Message Contents
Subject: b2 php remote command execution|
b2 0.6pre2 and earlier.
B2 is a php script which allows webmasters to quikly post
news on the frontpage and let viewers interact with
eachother. A bug exists in the scripts which allows an
attacker to remotely execute commands.
Taken from /b2-include/b2edit.showposts.php
But since b2config.php does not exist inside the directory,
an attacker can define $b2inc himself.
So if the attacker creates a file on his server, for
example www.attacker.com , called b2functions.php, and he
writes the following in it :
(note : the attacker's server must not be able to run php,
it has to open the file as text)
he can include the file like this :
This would execute the ls command on vulnerablehost.com.
Copy b2config.php into the b2-include directory
The vendor has been warned, and already released the same
fix a few days earlier.