Skip to content
cyberexploits
webappphptext

DataLife Engine 9.7 - 'preview.php' PHP Code Injection

DataLife Engine 9.7 - 'preview.php' PHP Code Injection

Published on 2013-01-28

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/24438.txt7eac4c3a
raw
------------------------------------------------------------------

DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability

------------------------------------------------------------------



[-] Software Link:



http://dleviet.com/





[-] Affected Version:



9.7 only.





[-] Vulnerability Description:



The vulnerable code is located in the /engine/preview.php script:



246.	$c_list = implode (',', $_REQUEST['catlist']);

247.

248.	if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {

249.		$tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );

250.	}

251.		

252.	if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {

253.		$tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template );

254.	}



User supplied input passed through the $_REQUEST['catlist'] parameter is not properly

sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253.

This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of

this vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag.





[-] Solution:



Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html





[-] Disclosure Timeline:



[16/01/2013] - Vendor notified

[19/01/2013] - Vendor patch released

[20/01/2013] - CVE number requested

[21/01/2013] - CVE number assigned

[28/01/2013] - Public disclosure





[-] CVE Reference:



The Common Vulnerabilities and Exposures project (cve.mitre.org)

has assigned the name CVE-2013-1412 to this vulnerability.





[-] Credits:



Vulnerability discovered by Egidio Romano.





[-] Original Advisory:



http://karmainsecurity.com/KIS-2013-01

View on GitHub