Praetorian503 Posted January 30, 2013 Report Posted January 30, 2013 DataLife Engine version 9.7 suffers from a PHP code injection vulnerability in preview.php.------------------------------------------------------------------DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability------------------------------------------------------------------• Software Link:http://dleviet.com/• Affected Version:9.7 only.• Vulnerability Description:The vulnerable code is located in the /engine/preview.php script:246. $c_list = implode (',', $_REQUEST['catlist']);247.248. if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {249. $tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );250. }251.252. if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {253. $tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template );254. }User supplied input passed through the $_REQUEST['catlist'] parameter is not properlysanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253.This can be exploited to inject and execute arbitrary PHP code. Successful exploitation ofthis vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag.• Solution:Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html• Disclosure Timeline:[16/01/2013] – Vendor notified[19/01/2013] – Vendor patch released[20/01/2013] – CVE number requested[21/01/2013] – CVE number assigned[28/01/2013] – Public disclosure• CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2013-1412 to this vulnerability.• Credits:Vulnerability discovered by Egidio Romano.• Original Advisory:http://karmainsecurity.com/KIS-2013-01Source: PacketStorm Quote
