EmpireCMS 6.6 PHP Code Execution

2012.11.06
Credit: flyh4t
Risk: High
Local: No
Remote: Yes
CVE: CVE-2012-5777
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: EmpireCMS Template Parser Remote PHP Code Execution Vulnerability # Date: 2012-11-1 # Author: flyh4t # Software Link: http://www.phome.net # Version: EmpireCMS 6.6 # CVE : EmpireCMS Template Parser Remote PHP Code Execution Vulnerability --------------------------------- By fly Mail:phpsec@hotmail.com Site:bbs.wolvez.org --------------------------------- Empire CMS is a widely used CMS in china. Official website is www.phome.net. I have found a remote PHP code-execution vulnerability in EmpireCMS 6.6 (the lastest version). This issue occurs in the application's template parser. An attacker can exploit this issue by enticing an unsuspecting victim to install a malicious template,can inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. [-] details : Here is a function for template parser in /e/class/connect.php --------------------------------- function ReplaceListVars($no,$listtemp,$subnews,$subtitle,$formatdate,$url,$haveclass=0,$r,$field,$docode=0){ global $empire,$public_r,$class_r,$class_zr,$fun_r,$dbtbpre,$emod_r,$class_tr,$level_r,$navclassid,$etable_r; if($haveclass) { $add=sys_ReturnBqClassname($r,$haveclass); } if(empty($r[oldtitle])) { $r[oldtitle]=$r[title]; } if($docode==1) { //here is the vul code //$listtemp is passed to function eval and not checked. $listtemp=stripSlashes($listtemp); eval($listtemp); } ...... } --------------------------------- Many other files used this function,here is one place: --------------------------------- // /e/action/ListInfo/index.php line 120 //get template from datebase which may contain PHP code we have injected into database. $tempr=$empire->fetch1("select tempid,temptext,subnews,listvar,rownum,showdate,modid,subtitle,docode from ".GetTemptb("enewslisttemp")." where tempid='$tempid'"); ...... $listtemp=$tempr[temptext]; $rownum=$tempr[rownum]; if(empty($rownum)) {$rownum=1;} $formatdate=$tempr[showdate]; $subnews=$tempr[subnews]; $subtitle=$tempr[subtitle]; $docode=$tempr[docode]; $modid=$tempr[modid]; $listvar=str_replace('[!--news.url--]',$public_r[newsurl],$tempr[listvar]); // $listvar contain PHP code we have injected ...... while($r=$empire->fetch($sql)) { $repvar=ReplaceListVars($no,$listvar,$subnews,$subtitle,$formatdate,$url,$have_class,$r,$ret_r,$docode); //here lead to execute php code ------------------------------ [-] Disclosure timeline: [19/10/2012] - Vulnerability discovered [20/10/2012] - Vendor notified?No responsed [01/11/2012] - CVE number requested [02/11/2012] - Assigned CVE-2012-5777 [05/11/2012] - Public disclosure

References:

http://www.phome.net


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top