------------------------------------------------------------------
DataLife Engine 9.7(preview.php) PHP Code Injection Vulnerability
------------------------------------------------------------------[-] Software Link:
http://dleviet.com/[-] Affected Version:9.7 only.[-] Vulnerability Description:
The vulnerable code is located in the /engine/preview.php script:246. $c_list = implode (',', $_REQUEST['catlist']);247.248.if( strpos( $tpl->copy_template,"[catlist=")!== false ){249. $tpl->copy_template = preg_replace("#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies","check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );250.}251.252.if( strpos( $tpl->copy_template,"[not-catlist=")!== false ){253. $tpl->copy_template = preg_replace("#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies","check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template );254.}
User supplied input passed through the $_REQUEST['catlist'] parameter isnot properly
sanitized before being used in a preg_replace() call with the e modifier at lines 249and253.
This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of
this vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag.[-] Solution:
Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
[-] Disclosure Timeline:[16/01/2013]- Vendor notified
[19/01/2013]- Vendor patch released
[20/01/2013]- CVE number requested
[21/01/2013]- CVE number assigned
[28/01/2013]- Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1412 to this vulnerability.[-] Credits:
Vulnerability discovered by Egidio Romano.[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-01
