Date: Mon, 2 Jun 2003 20:37:40 +0200
From: FraMe <[email protected]>
To: [email protected]Subject: b2 cafelog: remote command execution, sql injection and another flaw.
Products: b2 cafelog 0.6.1 with ljupdate
b2 cafelog 0.6.2 and prior
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org
CONTENTS
1. Overview
2. Description.
3. Details.
4. Vendor Response
1. Overview.
b2 is a news/weblog tool written in php. b2 uses MySQL as backend system.
2. Description.
"b2 0.6.1 with ljupdate" allow remote command execution in
./b2-include/b2functions.php. A malicious user can inject an url in $b2inc,
and obtain command execution with web server privileges ( usually nobody ).
"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isn╢t
convert to integer, so we can inject a sql in this variable. In MySQL 4.x
UNION and subselects can be used to obtain privileges.
"b2 0.6.2 and prior" has a little flaw. Bored users can force server to read
a remote file using $b2inc in ./b2-include/b2menutop.php
3. Details
b2 0.6.1 with ljupdate.
from ./b2-include/b2functions.php:
<?php
(..)
require_once($b2inc."/lj_update.php");
?>
b2 0.6.2 and prior
from ./blog.header.php:
<?php
(..)
if ($posts)
$posts_per_page=$posts;
(..)
$limits = ' LIMIT '.$posts_per_page;
(..)
$request = " SELECT $distinct * FROM $tableposts WHERE 1=1".$where." ORDER
BY post_$orderby $limits";
(..)
$result = mysql_query($request);
?>
b2 0.6.2 and prior
from ./b2-include/b2menutop.php:
<?php
(..)
$menu = file($b2inc."/b2menutop.txt");
(..)
?>
4. Vendor Response
20-04-2003: Sent email to vendor.
31-05-2003: No response.
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
