Product: Greymatter v1.21d
Vendor: Noah Grey - GreySoft
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. How to exploit it?
4. Impact.
5. Patch.
6. Vendor Response
7. Greetings

1. Overview.

Greymatter is a news/weblog tool written in PERL. Greymatter uses html files
as backend system.

2. Description.

Greymatter v1.21d was released to patch a php injection vulnerability (
http://www.securityfocus.com/bid/7055 ) in comments system. It check if
exists tags: "<?" and "?>", but it doesn´t check if exists tags: <script
language="php"> or "<%" (asp style: default is off).

3. How to exploit it?.

Easy, in name, email or url fields, a user can input for example:

<script language="php">PHPCOMMAND;</script >

Note: Blank space in </script > is necessary; avoid other checks.

4. Impact

If comment file is parsed by PHP produces remote php ejecution, usually with
web server privileges.

5. Patch

sub gm_htmlspecial {

# Convert "<"
$IN{'newcommentbody'} =~ s/</\&lt/g;
$IN{'newcommentauthor'} =~ s/</\&lt/g;
$IN{'newcommentemail'} =~ s/</\&lt/g;
$IN{'newcommenthomepage'} =~ s/</\&lt/g;

# Convert ">"
$IN{'newcommentbody'} =~ s/>/\&gt/g;
$IN{'newcommentauthor'} =~ s/>/\&gt/g;
$IN{'newcommentemail'} =~ s/>/\&gt/g;
$IN{'newcommenthomepage'} =~ s/>/\&gt/g;
}

Note: gm-comments.cgi patched can be downloaded from:
http://www.kernelpanik.org/code/kernelpanik/gmc.zip

6. Vendor Response

02/07/03: Post in greymatter support forum.
                Send to bugtraq.

7. Greetings

Fermín J. Serna <fjserna at ngsec.com> (aka Zhodiac)

==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================