EmpireCMS 6.6 PHP Code Execution

`  
  
# Exploit Title: EmpireCMS Template Parser Remote PHP Code Execution Vulnerability  
# Date: 2012-11-1  
# Author: flyh4t  
# Software Link: http://www.phome.net  
# Version: EmpireCMS 6.6   
# CVE :   
  
  
EmpireCMS Template Parser Remote PHP Code Execution Vulnerability  
---------------------------------  
By fly  
Mail:[email protected]  
Site:bbs.wolvez.org  
---------------------------------  
  
Empire CMS is a widely used CMS in china. Official website is www.phome.net.  
I have found a remote PHP code-execution vulnerability in EmpireCMS 6.6 (the lastest version).  
This issue occurs in the application's template parser.  
An  
attacker can exploit this issue by enticing an unsuspecting victim to   
install a malicious template,can inject and execute arbitrary malicious   
PHP code in the context of the webserver process.   
This may facilitate a compromise of the application and the underlying system; other attacks are also possible.  
  
[-] details :  
  
Here is a function for template parser in /e/class/connect.php  
---------------------------------  
function ReplaceListVars($no,$listtemp,$subnews,$subtitle,$formatdate,$url,$haveclass=0,$r,$field,$docode=0){  
global $empire,$public_r,$class_r,$class_zr,$fun_r,$dbtbpre,$emod_r,$class_tr,$level_r,$navclassid,$etable_r;  
if($haveclass)  
{  
$add=sys_ReturnBqClassname($r,$haveclass);  
}  
if(empty($r[oldtitle]))  
{  
$r[oldtitle]=$r[title];  
}  
if($docode==1)  
{   
//here is the vul code  
//$listtemp is passed to function eval and not checked.   
$listtemp=stripSlashes($listtemp);  
eval($listtemp);  
}  
  
......  
}  
---------------------------------  
  
Many other files used this function,here is one place:  
  
---------------------------------  
// /e/action/ListInfo/index.php line 120  
  
//get template from datebase which may contain PHP code we have injected into database.  
  
$tempr=$empire->fetch1("select  
tempid,temptext,subnews,listvar,rownum,showdate,modid,subtitle,docode   
from ".GetTemptb("enewslisttemp")." where tempid='$tempid'");  
  
......  
  
  
$listtemp=$tempr[temptext];  
$rownum=$tempr[rownum];  
if(empty($rownum))  
{$rownum=1;}  
$formatdate=$tempr[showdate];  
$subnews=$tempr[subnews];  
$subtitle=$tempr[subtitle];  
$docode=$tempr[docode];  
$modid=$tempr[modid];  
$listvar=str_replace('[!--news.url--]',$public_r[newsurl],$tempr[listvar]);  
// $listvar contain PHP code we have injected  
  
......  
  
while($r=$empire->fetch($sql))  
{  
$repvar=ReplaceListVars($no,$listvar,$subnews,$subtitle,$formatdate,$url,$have_class,$r,$ret_r,$docode);  
//here lead to execute php code  
  
------------------------------  
  
  
[-] Disclosure timeline:  
  
[19/10/2012] - Vulnerability discovered  
[20/10/2012] - Vendor notified，No responsed  
[01/11/2012] - CVE number requested  
[02/11/2012] - Assigned CVE-2012-5777  
[05/11/2012] - Public disclosure  
  
`