SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Greymatter Vendors:   Grey, Noah
Greymatter Weblog Input Validation Flaw Lets Remote Users Execute PHP Commands on the Target Server
SecurityTracker Alert ID:  1007103
SecurityTracker URL:  http://securitytracker.com/id/1007103
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 4 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.21d
Description:   An input validation vulnerability was reported in the Greymatter weblog software. A remote user can cause arbitrary PHP to be executed on the target server.

FraMe reported that the software does not properly filter certain HTML code from user-supplied input in the name, email, and URL fields. Specifically, it is reported that the software permits '<script language="php">' and '<%' type of tags.

A remote user can insert specially crafted text into one of the affected fields to cause PHP code to be executed on the target system with the privileges of the web server. Some demonstration exploit contents are provided:

<script language="php">PHPCOMMAND;</script >

The vendor has reportedly been notified (on July 2, 2003).

Impact:   A remote user can cause arbitrary PHP code to be executed on the target system with the privileges of the web server process.
Solution:   No solution was available at the time of this entry. An unofficial patch is described in the Source Message and at:

http://www.kernelpanik.org/code/kernelpanik/gmc.zip

Vendor URL:  www.noahgrey.com/greysoft/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Greymatter v1.21d: Remote PHP command injection/execution.


Product: Greymatter v1.21d
Vendor: Noah Grey - GreySoft
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. How to exploit it?
4. Impact.
5. Patch.
6. Vendor Response
7. Greetings

1. Overview.

Greymatter is a news/weblog tool written in PERL. Greymatter uses html files
as backend system.

2. Description.

Greymatter v1.21d was released to patch a php injection vulnerability (
http://www.securityfocus.com/bid/7055 ) in comments system. It check if
language="php"> or "<%" (asp style: default is off).

3. How to exploit it?.

Easy, in name, email or url fields, a user can input for example:

<script language="php">PHPCOMMAND;</script >

Note: Blank space in </script > is necessary; avoid other checks.

4. Impact

If comment file is parsed by PHP produces remote php ejecution, usually with
web server privileges.

5. Patch

sub gm_htmlspecial {

# Convert "<"
$IN{'newcommentbody'} =~ s/</\&lt/g;
$IN{'newcommentauthor'} =~ s/</\&lt/g;
$IN{'newcommentemail'} =~ s/</\&lt/g;
$IN{'newcommenthomepage'} =~ s/</\&lt/g;

# Convert ">"
$IN{'newcommentbody'} =~ s/>/\&gt/g;
$IN{'newcommentauthor'} =~ s/>/\&gt/g;
$IN{'newcommentemail'} =~ s/>/\&gt/g;
$IN{'newcommenthomepage'} =~ s/>/\&gt/g;
}

Note: gm-comments.cgi patched can be downloaded from:
http://www.kernelpanik.org/code/kernelpanik/gmc.zip

6. Vendor Response

02/07/03: Post in greymatter support forum.
                Send to bugtraq.

7. Greetings


==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC