Greymatter v1.21d: Remote PHP command injection/execution.

2003-07-03T00:00:00
ID SECURITYVULNS:DOC:4777
Type securityvulns
Reporter Securityvulns
Modified 2003-07-03T00:00:00

Description

Product: Greymatter v1.21d Vendor: Noah Grey - GreySoft Author: FraMe ( frame at kernelpanik.org ) URL: http://www.kernelpanik.org

CONTENTS

  1. Overview
  2. Description.
  3. How to exploit it?
  4. Impact.
  5. Patch.
  6. Vendor Response
  7. Greetings

  8. Overview.

Greymatter is a news/weblog tool written in PERL. Greymatter uses html files as backend system.

  1. Description.

Greymatter v1.21d was released to patch a php injection vulnerability ( http://www.securityfocus.com/bid/7055 ) in comments system. It check if exists tags: "<?" and "?>", but it doesn´t check if exists tags: <script language="php"> or "<%" (asp style: default is off).

  1. How to exploit it?.

Easy, in name, email or url fields, a user can input for example:

<script language="php">PHPCOMMAND;</script >

Note: Blank space in </script > is necessary; avoid other checks.

  1. Impact

If comment file is parsed by PHP produces remote php ejecution, usually with web server privileges.

  1. Patch

sub gm_htmlspecial {

Convert "<"

$IN{'newcommentbody'} =~ s/</\&lt/g; $IN{'newcommentauthor'} =~ s/</\&lt/g; $IN{'newcommentemail'} =~ s/</\&lt/g; $IN{'newcommenthomepage'} =~ s/</\&lt/g;

Convert ">"

$IN{'newcommentbody'} =~ s/>/\&gt/g; $IN{'newcommentauthor'} =~ s/>/\&gt/g; $IN{'newcommentemail'} =~ s/>/\&gt/g; $IN{'newcommenthomepage'} =~ s/>/\&gt/g; }

Note: gm-comments.cgi patched can be downloaded from: http://www.kernelpanik.org/code/kernelpanik/gmc.zip

  1. Vendor Response

02/07/03: Post in greymatter support forum. Send to bugtraq.

  1. Greetings

Fermín J. Serna <fjserna at ngsec.com> (aka Zhodiac)

============================== [ FraMe - frame at kernelpanik.org ] [ URL - http://frame.lifefromthenet.com ] [ Kernelpanik - http://www.kernelpanik.org ] [ PGP KeyID - 0xFA81AC9C ] ==============================