Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > System crack > Content
Hot Articles
GeoVision Digital Video
Adobe Acrobat and the Re
Samba group_mapping.tdb/
The Sleuth Kit - UNIX-ba
Marvell 88W8361P-BEM1 ch
CS-Cart core / user.php
phpBB Small ShoutBox mod
Outlook Web Access for E
FlexCell Grid ActiveX co
PHP error_log bypasses t
Apple Bonjour for Window
nginx file type error pa
DedeCMS V5.5 Final GetWe
Details of PHP code exec
The VMware 2008-0014 ren
Recommend Articles
Mozilla the Firefox 2.0.
DC++ many long-distance
VLC the media player WAV
The Wireshark 1.0.1 edit
Wordpress XML-RPC connec
ServerView Web connectio
PCRE the pcre_compile.c
phpMyAdmin long-distance
Panda the ActiveScan lon
BlueZ the SDP load handl
1024 CMS many documents
WeFi journal file local
vBulletin adminlog.php r
Microsoft Windows DNS se
Adobe RoboHelp Server he
New Articles
DiY - brief loophole ana
Freefloat FTP Server ove
I can with Apache endeav
HP - UX NFS/ONCplus unkn
HP - UX FTPD remote deni
HP - UX DCE can send acr
HP - UX 'useradd' local
HP - UX swagentd remote
HP - UX Numbers local de
HP - UX System under the
HP - UX 'FTPD' unknown r
HP TCP/IP Services for c
From Solaris NFS pages f
From Solaris XScreenSave
Sun Solaris Auditing Ext
e107 BBCode arbitrary PHP code execution vulnerability analysis
  Add date: 09/11/2010   Publishing date: 09/11/2010   Hits: 91
Total 2 pages, Current page:1, Jump to page:
 
e107 is content management system written in php.

e107 in the bbcode [php] allows execution of arbitrary PHP code. More dangerous because in this way, e107 configuration generally prohibit all users access the bbcode, the administrator can activate a specific group of users demand this feature.

e107 in the access control check is not within the bbcode parser, but some of the external function call bbcode parser is implemented, for example:

    function post_toHTML ($ text, $ modifier = true, $ extra ='') (
        ...

        / / If user is not allowed to use [php] change to entities
        if (! check_class ($ pref ['php_bbcode']))
        (
            $ Text = preg_replace ("# \ [(php) # i", "[\ \ 1", $ text);
        )

        return ($ modifier? $ this-> toHTML ($ text, true, $ extra): $ text);
    )

This code shows toHTML () method is not on the [php] implementation of the access check, since it has been implemented in the external examination. This means that user input should not go directly to toHTML () method, or may lead to remote PHP code execution.

But in other parts of the user input can reach toHTML (), as in toEmail () way:

    function toEmail ($ text, $ posted ="",$ mods = "parse_sc, no_make_clickable")
    (
        if ($ posted === TRUE & & MAGIC_QUOTES_GPC)
        (
            $ Text = stripslashes ($ text);
        )

        $ Text = (strtolower ($ mods)! = "Rawtext")? $ This-> replaceConstants ($ text, "full"): $ text;
        $ Text = $ this-> toHTML ($ text, TRUE, $ mods);
        return $ text;
    )

If toEmail () method used in the user input, it could lead to remote PHP code execution. An example of this situation is contact.php file:

if (isset ($ _POST ['send-contactus'])){

    $ Error = "";

    $ Sender_name = $ tp-> toEmail ($ _POST ['author_name'], TRUE, "rawtext");
    $ Sender = check_email ($ _POST ['email_send']);
    $ Subject = $ tp-> toEmail ($ _POST ['subject'], TRUE, "rawtext");
    $ Body = $ tp-> toEmail ($ _POST ['body'], TRUE, "rawtext");

Contact.php document is submitted to the POST request will cause the server to execute arbitrary PHP code.

 
Other pages: : 1 * 2 * Next>>
Prev:Jinshan WebShield's KAVSafe.sys kernel-mode Local Privilege Escalation Vulnerability Next:A simple analysis of XSS vulnerabilities

Comment:

Category: Home > System crack
Home