Search...

Greymatter v1.21d: Remote PHP command injection/execution.

2003-07-03T00:00:00

ID SECURITYVULNS:DOC:4777
Type securityvulns
Reporter Securityvulns
Modified 2003-07-03T00:00:00

Description

Product: Greymatter v1.21d Vendor: Noah Grey - GreySoft Author: FraMe ( frame at kernelpanik.org ) URL: http://www.kernelpanik.org

CONTENTS

Overview

Description.

How to exploit it?

Impact.

Patch.

Vendor Response

Greetings

Overview.

Greymatter is a news/weblog tool written in PERL. Greymatter uses html files as backend system.

Description.

Greymatter v1.21d was released to patch a php injection vulnerability ( http://www.securityfocus.com/bid/7055 ) in comments system. It check if exists tags: "<?" and "?>", but it doesn´t check if exists tags: <script language="php"> or "<%" (asp style: default is off).

How to exploit it?.

Easy, in name, email or url fields, a user can input for example:

<script language="php">PHPCOMMAND;</script >

Note: Blank space in </script > is necessary; avoid other checks.

Impact

If comment file is parsed by PHP produces remote php ejecution, usually with web server privileges.

Patch

sub gm_htmlspecial {

Convert "<"

$IN{'newcommentbody'} =~ s/</\&lt/g; $IN{'newcommentauthor'} =~ s/</\&lt/g; $IN{'newcommentemail'} =~ s/</\&lt/g; $IN{'newcommenthomepage'} =~ s/</\&lt/g;

Convert ">"

$IN{'newcommentbody'} =~ s/>/\&gt/g; $IN{'newcommentauthor'} =~ s/>/\&gt/g; $IN{'newcommentemail'} =~ s/>/\&gt/g; $IN{'newcommenthomepage'} =~ s/>/\&gt/g; }

Note: gm-comments.cgi patched can be downloaded from: http://www.kernelpanik.org/code/kernelpanik/gmc.zip

Vendor Response

02/07/03: Post in greymatter support forum. Send to bugtraq.

Greetings

Fermín J. Serna <fjserna at ngsec.com> (aka Zhodiac)

============================== [ FraMe - frame at kernelpanik.org ] [ URL - http://frame.lifefromthenet.com ] [ Kernelpanik - http://www.kernelpanik.org ] [ PGP KeyID - 0xFA81AC9C ] ==============================

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:4777", "bulletinFamily": "software", "title": "Greymatter v1.21d: Remote PHP command injection/execution.", "description": "Product: Greymatter v1.21d\r\nVendor: Noah Grey - GreySoft\r\nAuthor: FraMe ( frame at kernelpanik.org )\r\nURL: http://www.kernelpanik.org\r\n\r\nCONTENTS\r\n\r\n1. Overview\r\n2. Description.\r\n3. How to exploit it?\r\n4. Impact.\r\n5. Patch.\r\n6. Vendor Response\r\n7. Greetings\r\n\r\n1. Overview.\r\n\r\nGreymatter is a news/weblog tool written in PERL. Greymatter uses html files\r\nas backend system.\r\n\r\n2. Description.\r\n\r\nGreymatter v1.21d was released to patch a php injection vulnerability (\r\nhttp://www.securityfocus.com/bid/7055 ) in comments system. It check if\r\nexists tags: "<?" and "?>", but it doesn´t check if exists tags: <script\r\nlanguage="php"> or "<%" (asp style: default is off).\r\n\r\n3. How to exploit it?.\r\n\r\nEasy, in name, email or url fields, a user can input for example:\r\n\r\n<script language="php">PHPCOMMAND;</script >\r\n\r\nNote: Blank space in </script > is necessary; avoid other checks.\r\n\r\n4. Impact\r\n\r\nIf comment file is parsed by PHP produces remote php ejecution, usually with\r\nweb server privileges.\r\n\r\n5. Patch\r\n\r\nsub gm_htmlspecial {\r\n\r\n# Convert "<"\r\n$IN{'newcommentbody'} =~ s/</\&lt/g;\r\n$IN{'newcommentauthor'} =~ s/</\&lt/g;\r\n$IN{'newcommentemail'} =~ s/</\&lt/g;\r\n$IN{'newcommenthomepage'} =~ s/</\&lt/g;\r\n\r\n# Convert ">"\r\n$IN{'newcommentbody'} =~ s/>/\&gt/g;\r\n$IN{'newcommentauthor'} =~ s/>/\&gt/g;\r\n$IN{'newcommentemail'} =~ s/>/\&gt/g;\r\n$IN{'newcommenthomepage'} =~ s/>/\&gt/g;\r\n}\r\n\r\nNote: gm-comments.cgi patched can be downloaded from:\r\nhttp://www.kernelpanik.org/code/kernelpanik/gmc.zip\r\n\r\n6. Vendor Response\r\n\r\n02/07/03: Post in greymatter support forum.\r\n Send to bugtraq.\r\n\r\n7. Greetings\r\n\r\nFermín J. Serna <fjserna at ngsec.com> (aka Zhodiac)\r\n\r\n==============================\r\n[ FraMe - frame at kernelpanik.org ]\r\n[ URL - http://frame.lifefromthenet.com ]\r\n[ Kernelpanik - http://www.kernelpanik.org ]\r\n[ PGP KeyID - 0xFA81AC9C ]\r\n==============================\r\n\r\n", "published": "2003-07-03T00:00:00", "modified": "2003-07-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4777", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 4, "enchantments": {"score": {"value": 2.3, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200408-01-SWAPGS"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "EULEROS_SA-2020-1299.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201299", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34153", "1337DAY-ID-34159", "1337DAY-ID-34134"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}, {"type": "kitploit", "idList": ["KITPLOIT:1907207623071471216"]}, {"type": "mssecure", "idList": ["MSSECURE:057ED5C1C386380F0F149DBAC7F1F6EF"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": 2.3}, "affectedSoftware": []}

{"rst": [{"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **94[.]136.35.21** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nASN 20738: (First IP 94.136.32.0, Last IP 94.136.39.255).\nASN Name \"GDEMEADCLD5\" and Organisation \"\".\nASN hosts 2795067 domains.\nGEO IP information: City \"Leeds\", Country \"United Kingdom\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:EC6F14DE-4777-3D1A-AC8E-A765C991B16B", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: 94.136.35.21", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **lmportant-warnlng-in0[.]gdn** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:4FDF8296-4777-3DA2-96A1-D6B0FAB6D200", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: lmportant-warnlng-in0.gdn", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pillseyoo[.]ca** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:AD4E1705-4777-33FA-B3ED-7159083CE6D5", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: pillseyoo.ca", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **officelive[.]org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2F9B4FE5-4777-3C36-8792-3F83CCBB10AC", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: officelive.org", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **classbicycle[.]net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:93F78CFD-4777-3430-B016-D58F3EEB53E4", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: classbicycle.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **titi-chance[.]myfreesites.net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **25**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 104[.]17.157.14,104.17.160.14,104.17.161.14,104.17.159.14,104.17.158.14\nWhois:\n Created: 2015-03-23 11:28:11, \n Registrar: Domaincom LLC, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:AC7BABC4-4777-398B-99A4-66A48CE3B471", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: titi-chance.myfreesites.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **stakeholderpanels[.]net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **25**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 213[.]186.33.5\nWhois:\n Created: 2020-05-07 08:16:45, \n Registrar: OVH sas, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:A6B55AFA-4777-3090-822B-BBBBB68D2B99", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: stakeholderpanels.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **bmo[.]personal-verifications.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2F1AD9F7-4777-3A60-98E2-67D1A67CBE7D", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: bmo.personal-verifications.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **aboveredirect[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:047DB323-4777-3230-87C7-159ECB79E570", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: aboveredirect.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **dongguanzlls[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **46**.\n First seen: 2021-01-11T03:00:00, Last seen: 2021-01-13T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 156[.]234.216.114\nWhois:\n Created: 2021-01-06 02:38:51, \n Registrar: unknown, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-11T00:00:00", "id": "RST:CC9EA08A-4777-3156-9FB4-179F72EB9ABD", "href": "", "published": "2021-01-14T00:00:00", "title": "RST Threat feed. IOC: dongguanzlls.com", "type": "rst", "cvss": {}}], "msupdate": [{"lastseen": "2020-12-29T22:23:11", "bulletinFamily": "microsoft", "cvelist": [], "description": "A security vulnerability exists in Microsoft SharePoint Enterprise Server 2016 that could allow arbitrary code to run when a maliciously modified file is opened. This update resolves that vulnerability.", "edition": 1, "modified": "2020-12-08T18:00:00", "id": "MS:D131B23C-FE20-4F25-A79A-9B1AE5F812F9", "href": "https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=d131b23c-fe20-4f25-a79a-9b1ae5f812f9", "published": "2020-12-08T18:00:00", "title": "Security Update for Microsoft SharePoint Enterprise Server 2016 (KB4486721) farm-deployment", "type": "msupdate", "cvss": {"score": 0.0, "vector": "NONE"}}]}