Tag Archive for DataLife Engine 9.7 Code İnjection exploit

DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability

DataLife Engine 9.7 (preview.php) PHP Code Injection Açığına ilişkin exploit ve açıklamalar aşağıdaki gibidir.

------------------------------------------------------------------
DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
------------------------------------------------------------------

[-] Software Link:

http://dleviet.com/


[-] Affected Version:

9.7 only.


[-] Vulnerability Description:

The vulnerable code is located in the /engine/preview.php script:

246.	$c_list = implode (',', $_REQUEST['catlist']);
247.
248.	if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {
249.		$tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );
250.	}
251.		
252.	if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {
253.		$tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template );
254.	}

User supplied input passed through the $_REQUEST['catlist'] parameter is not properly
sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253.
This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of
this vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag.


[-] Solution:

Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html


[-] Disclosure Timeline:

[16/01/2013] - Vendor notified
[19/01/2013] - Vendor patch released
[20/01/2013] - CVE number requested
[21/01/2013] - CVE number assigned
[28/01/2013] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1412 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-01