EmpireCMS 6.6 PHP Code Execution Vulnerability

# Exploit Title: EmpireCMS Template Parser Remote PHP Code Execution Vulnerability 
# Date: 2012-11-1 
# Author: flyh4t 
# Software Link: http://www.phome.net 
# Version: EmpireCMS 6.6  
# CVE :  
 
 
EmpireCMS Template Parser Remote PHP Code Execution Vulnerability 
--------------------------------- 
By fly 
Mail:phpsec@hotmail.com 
Site:bbs.wolvez.org 
--------------------------------- 
 
Empire CMS is a widely used CMS in china. Official website is www.phome.net. 
I have found a remote PHP code-execution vulnerability in EmpireCMS 6.6 (the lastest version). 
This issue occurs in the application's template parser. 
An 
attacker can exploit this issue by enticing an unsuspecting victim to  
install a malicious template,can inject and execute arbitrary malicious  
PHP code in the context of the webserver process.  
This may facilitate a compromise of the application and the underlying system; other attacks are also possible. 
 
[-] details : 
 
Here is a function for template parser in /e/class/connect.php 
--------------------------------- 
function ReplaceListVars($no,$listtemp,$subnews,$subtitle,$formatdate,$url,$haveclass=0,$r,$field,$docode=0){ 
global $empire,$public_r,$class_r,$class_zr,$fun_r,$dbtbpre,$emod_r,$class_tr,$level_r,$navclassid,$etable_r; 
if($haveclass) 
{ 
$add=sys_ReturnBqClassname($r,$haveclass); 
} 
if(empty($r[oldtitle])) 
{ 
$r[oldtitle]=$r[title]; 
} 
if($docode==1) 
{        
//here is the vul code 
//$listtemp is passed to function eval and not checked.  
$listtemp=stripSlashes($listtemp); 
eval($listtemp); 
} 
 
...... 
} 
--------------------------------- 
 
Many other files used this function,here is one place: 
 
--------------------------------- 
// /e/action/ListInfo/index.php line 120 
 
//get template from datebase which may contain PHP code we have injected into database. 
 
$tempr=$empire->fetch1("select 
tempid,temptext,subnews,listvar,rownum,showdate,modid,subtitle,docode  
from ".GetTemptb("enewslisttemp")." where tempid='$tempid'"); 
 
...... 
 
 
$listtemp=$tempr[temptext]; 
$rownum=$tempr[rownum]; 
if(empty($rownum)) 
{$rownum=1;} 
$formatdate=$tempr[showdate]; 
$subnews=$tempr[subnews]; 
$subtitle=$tempr[subtitle]; 
$docode=$tempr[docode]; 
$modid=$tempr[modid]; 
$listvar=str_replace('[!--news.url--]',$public_r[newsurl],$tempr[listvar]); 
// $listvar contain PHP code we have injected 
 
...... 
 
while($r=$empire->fetch($sql)) 
{ 
$repvar=ReplaceListVars($no,$listvar,$subnews,$subtitle,$formatdate,$url,$have_class,$r,$ret_r,$docode); 
//here lead to execute php code 
 
------------------------------ 
 
 
[-] Disclosure timeline: 
 
[19/10/2012] - Vulnerability discovered 
[20/10/2012] - Vendor notified???No responsed 
[01/11/2012] - CVE number requested 
[02/11/2012] - Assigned CVE-2012-5777 
[05/11/2012] - Public disclosure  
 
# 1337day.com [2012-11-11] 
