[KIS-2013-01] DataLife Engine 9.7 (preview.php) PHP Code Injection- Vulnerability

From: Egidio Romano <research@karmainsecurity.com>
To: bugtraq@securityfocus.com
Cc:
Subject: [KIS-2013-01] DataLife Engine 9.7 (preview.php) PHP Code Injection- Vulnerability
Date:


------------------------------------------------------------------
DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
------------------------------------------------------------------

\u20ac Software Link:

http://dleviet.com/


\u20ac Affected Version:

9.7 only.


\u20ac Vulnerability Description:

The vulnerable code is located in the /engine/preview.php script:

246. $c_list = implode (',', $_REQUEST['catlist']);
247.
248.    if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {
249.            $tpl->copy_template = preg_replace( 
"#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', 
'\\2', '{$c_list}')", $tpl->copy_template );
250.   }
251.
252.     if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {
253.                $tpl->copy_template = preg_replace( 
"#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", 
"check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template 
);
254.       }

User supplied input passed through the $_REQUEST['catlist'] parameter 
is not properly
sanitized before being used in a preg_replace() call with the e 
modifier at lines 249 and 253.
This can be exploited to inject and execute arbitrary PHP code. 
Successful exploitation of
this vulnerability requires a template which contains a \u20ac\u0153catlist\u20ac (or a 
\u20ac\u0153not-catlist\u20ac) tag.


\u20ac Solution:

Apply the vendor patch: 
http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html


\u20ac Disclosure Timeline:

[16/01/2013] \u20ac\u201c Vendor notified
[19/01/2013] \u20ac\u201c Vendor patch released
[20/01/2013] \u20ac\u201c CVE number requested
[21/01/2013] \u20ac\u201c CVE number assigned
[28/01/2013] \u20ac\u201c Public disclosure


\u20ac CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1412 to this vulnerability.


\u20ac Credits:

Vulnerability discovered by Egidio Romano.


\u20ac Original Advisory:

http://karmainsecurity.com/KIS-2013-01





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.