[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
# Published : 2013-01-28
# Author :
# Previous Title : ImageCMS 4.0.0b Multiple Vulnerabilities
# Next Title : php-Charts Arbitrary PHP Code Execution Vulnerability
------------------------------------------------------------------
DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
------------------------------------------------------------------
[-] Software Link:
http://dleviet.com/
[-] Affected Version:
9.7 only.
[-] Vulnerability Description:
The vulnerable code is located in the /engine/preview.php script:
246. $c_list = implode (',', $_REQUEST['catlist']);
247.
248. if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {
249. $tpl->copy_template = preg_replace( "#\[catlist=(.+?)\](.*?)\[/catlist\]#ies", "check_category('\1', '\2', '{$c_list}')", $tpl->copy_template );
250. }
251.
252. if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {
253. $tpl->copy_template = preg_replace( "#\[not-catlist=(.+?)\](.*?)\[/not-catlist\]#ies", "check_category('\1', '\2', '{$c_list}', false)", $tpl->copy_template );
254. }
User supplied input passed through the $_REQUEST['catlist'] parameter is not properly
sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253.
This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of
this vulnerability requires a template which contains a ¡°catlist¡± (or a ¡°not-catlist¡±) tag.
[-] Solution:
Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
[-] Disclosure Timeline:
[16/01/2013] - Vendor notified
[19/01/2013] - Vendor patch released
[20/01/2013] - CVE number requested
[21/01/2013] - CVE number assigned
[28/01/2013] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1412 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-01