Home page logo
/

bugtraq logo Bugtraq mailing list archives

[KIS-2013-01] DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
From: Egidio Romano <research () karmainsecurity com>
Date: Mon, 28 Jan 2013 18:52:10 +0100

------------------------------------------------------------------
DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
------------------------------------------------------------------

• Software Link:

http://dleviet.com/


• Affected Version:

9.7 only.


• Vulnerability Description:

The vulnerable code is located in the /engine/preview.php script:

246.    $c_list = implode (',', $_REQUEST['catlist']);
247.
248.    if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {
249. $tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );
250.    }
251.
252.    if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {
253. $tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template );
254.    }

User supplied input passed through the $_REQUEST['catlist'] parameter is not properly sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag.


• Solution:

Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html


• Disclosure Timeline:

[16/01/2013] – Vendor notified
[19/01/2013] – Vendor patch released
[20/01/2013] – CVE number requested
[21/01/2013] – CVE number assigned
[28/01/2013] – Public disclosure


• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1412 to this vulnerability.


• Credits:

Vulnerability discovered by Egidio Romano.


• Original Advisory:

http://karmainsecurity.com/KIS-2013-01


  By Date           By Thread  

Current thread:
  • [KIS-2013-01] DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability Egidio Romano (Jan 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault