boardom

spud · Joined: 12 Jun 2003 Posts: 2

i haven't seen any discuss on this security problem here, so i think it would be great to post this : (sorry for my english, its not my native language )

b2 cafelog: remote command execution, sql injection and another flaw.
@ Exploits -> Other Jun 04 2003, 06:48 (UTC+0)
furcalor writes: Products: b2 cafelog 0.6.1 with ljupdate
b2 cafelog 0.6.2 and prior
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. Details.
4. Vendor Response

1. Overview.

b2 is a news/weblog tool written in php. b2 uses MySQL as backend system.

2. Description.

"b2 0.6.1 with ljupdate" allow remote command execution in
./b2-include/b2functions.php. A malicious user can inject an url in $b2inc,
and obtain command execution with web server privileges ( usually nobody ).

"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isn´t
convert to integer, so we can inject a sql in this variable. In MySQL 4.x
UNION and subselects can be used to obtain privileges.

"b2 0.6.2 and prior" has a little flaw. Bored users can force server to read
a remote file using $b2inc in ./b2-include/b2menutop.php

3. Details

b2 0.6.1 with ljupdate.
from ./b2-include/b2functions.php:
=======================
<?php
(..)
require_once($b2inc."/lj_update.php");
?>
=======================

b2 0.6.2 and prior
from ./blog.header.php:
=======================
<?php
(..)
if ($posts)
$posts_per_page=$posts;
(..)
$limits = ' LIMIT '.$posts_per_page;
(..)
$request = " SELECT $distinct * FROM $tableposts WHERE 1=1".$where." ORDER BY post_$orderby $limits";
(..)
$result = mysql_query($request);
?>
=======================

b2 0.6.2 and prior
from ./b2-include/b2menutop.php:
=======================
<?php
(..)
$menu = file($b2inc."/b2menutop.txt");
(..)
?>
=======================

4. Vendor Response

20-04-2003: Sent email to vendor.
31-05-2003: No response.

==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================

cjc · Joined: 24 Dec 2002 Posts: 146 Location: New York

This was already posted here:

http://www.tidakada.com/board/viewtopic.php?t=3212

It's one of the sticky posts for the Announcements forum.

fplanque · Posted: Thu Jun 12, 2003 3:27 pm Post subject:

Yes! It is right there 3 lines above your post!!

Btw, these security issues have been fixed in b2evolution.
_________________
-François
Check out

: a blogtool for bloggers who want more!

allusion · Joined: 16 Jun 2002 Posts: 73 Location: Houston

Also in the last WordPress release. I've been in contact with the security guy as well so we can issue patches before the exploit is made public. (If one ever happens again.)
_________________
Matthew Mullenweg
Wordpress

spud · Joined: 12 Jun 2003 Posts: 2

wow. sorry

cjc · Joined: 24 Dec 2002 Posts: 146 Location: New York

Actually, don't be sorry about posting security warnings. The general public still needs to know about them, not just the people subscribed to BUGTRAQ and the like. Maybe a little bit of reading through the announcements would have helped, though Very Happy

michel v · Posted: Wed Jun 18, 2003 10:56 pm Post subject:

I have never received this email.

fplanque, please PM/email me with your Sourceforge ID so I can add you to the list of users allowed to work on the CVS version.
This way in the future when you find/fix such a security issue you can submit the code there directly.