what you don't know can hurt you

EmpireCMS 6.6 PHP Code Execution

EmpireCMS 6.6 PHP Code Execution
Posted Nov 6, 2012
Authored by flyh4t

EmpireCMS version 6.6 template parser suffers from a remote PHP code execution vulnerability.

tags | exploit, remote, php, code execution
advisories | CVE-2012-5777
MD5 | c83068a947bae0d395c76559cafa0809

EmpireCMS 6.6 PHP Code Execution

Change Mirror Download


# Exploit Title: EmpireCMS Template Parser Remote PHP Code Execution Vulnerability
# Date: 2012-11-1
# Author: flyh4t
# Software Link: http://www.phome.net
# Version: EmpireCMS 6.6
# CVE :


EmpireCMS Template Parser Remote PHP Code Execution Vulnerability
---------------------------------
By fly
Mail:phpsec@hotmail.com
Site:bbs.wolvez.org
---------------------------------

Empire CMS is a widely used CMS in china. Official website is www.phome.net.
I have found a remote PHP code-execution vulnerability in EmpireCMS 6.6 (the lastest version).
This issue occurs in the application's template parser.
An
attacker can exploit this issue by enticing an unsuspecting victim to
install a malicious template,can inject and execute arbitrary malicious
PHP code in the context of the webserver process.
This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

[-] details :

Here is a function for template parser in /e/class/connect.php
---------------------------------
function ReplaceListVars($no,$listtemp,$subnews,$subtitle,$formatdate,$url,$haveclass=0,$r,$field,$docode=0){
    global $empire,$public_r,$class_r,$class_zr,$fun_r,$dbtbpre,$emod_r,$class_tr,$level_r,$navclassid,$etable_r;
    if($haveclass)
    {
        $add=sys_ReturnBqClassname($r,$haveclass);
    }
    if(empty($r[oldtitle]))
    {
        $r[oldtitle]=$r[title];
    }
    if($docode==1)
    {      
                //here is the vul code
                //$listtemp is passed to function eval and not checked.
        $listtemp=stripSlashes($listtemp);
        eval($listtemp);
    }
   
        ......
}
---------------------------------

Many other files used this function,here is one place:

---------------------------------
// /e/action/ListInfo/index.php line 120

//get template from datebase which may contain PHP code we have injected into database.

$tempr=$empire->fetch1("select
tempid,temptext,subnews,listvar,rownum,showdate,modid,subtitle,docode
from ".GetTemptb("enewslisttemp")." where tempid='$tempid'");

......


$listtemp=$tempr[temptext];
$rownum=$tempr[rownum];
if(empty($rownum))
{$rownum=1;}
$formatdate=$tempr[showdate];
$subnews=$tempr[subnews];
$subtitle=$tempr[subtitle];
$docode=$tempr[docode];
$modid=$tempr[modid];
$listvar=str_replace('[!--news.url--]',$public_r[newsurl],$tempr[listvar]);
// $listvar contain PHP code we have injected

......

while($r=$empire->fetch($sql))
{
    $repvar=ReplaceListVars($no,$listvar,$subnews,$subtitle,$formatdate,$url,$have_class,$r,$ret_r,$docode);
    //here lead to execute php code

------------------------------


[-] Disclosure timeline:

[19/10/2012] - Vulnerability discovered
[20/10/2012] - Vendor notified,No responsed
[01/11/2012] - CVE number requested
[02/11/2012] - Assigned CVE-2012-5777
[05/11/2012] - Public disclosure

Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close