# Exploit Title: EmpireCMS Template Parser Remote PHP Code Execution Vulnerability # Date: 2012-11-1 # Author: flyh4t # Software Link: http://www.phome.net # Version: EmpireCMS 6.6 # CVE : EmpireCMS Template Parser Remote PHP Code Execution Vulnerability --------------------------------- By fly Mail:phpsec@hotmail.com Site:bbs.wolvez.org --------------------------------- Empire CMS is a widely used CMS in china. Official website is www.phome.net. I have found a remote PHP code-execution vulnerability in EmpireCMS 6.6 (the lastest version). This issue occurs in the application's template parser. An attacker can exploit this issue by enticing an unsuspecting victim to install a malicious template,can inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. [-] details : Here is a function for template parser in /e/class/connect.php --------------------------------- function ReplaceListVars($no,$listtemp,$subnews,$subtitle,$formatdate,$url,$haveclass=0,$r,$field,$docode=0){     global $empire,$public_r,$class_r,$class_zr,$fun_r,$dbtbpre,$emod_r,$class_tr,$level_r,$navclassid,$etable_r;     if($haveclass)     {         $add=sys_ReturnBqClassname($r,$haveclass);     }     if(empty($r[oldtitle]))     {         $r[oldtitle]=$r[title];     }     if($docode==1)     {                       //here is the vul code                 //$listtemp is passed to function eval and not checked.         $listtemp=stripSlashes($listtemp);         eval($listtemp);     }             ...... } --------------------------------- Many other files used this function,here is one place: --------------------------------- // /e/action/ListInfo/index.php line 120 //get template from datebase which may contain PHP code we have injected into database. $tempr=$empire->fetch1("select tempid,temptext,subnews,listvar,rownum,showdate,modid,subtitle,docode from ".GetTemptb("enewslisttemp")." where tempid='$tempid'"); ...... $listtemp=$tempr[temptext]; $rownum=$tempr[rownum]; if(empty($rownum)) {$rownum=1;} $formatdate=$tempr[showdate]; $subnews=$tempr[subnews]; $subtitle=$tempr[subtitle]; $docode=$tempr[docode]; $modid=$tempr[modid]; $listvar=str_replace('[!--news.url--]',$public_r[newsurl],$tempr[listvar]); // $listvar contain PHP code we have injected ...... while($r=$empire->fetch($sql)) {     $repvar=ReplaceListVars($no,$listvar,$subnews,$subtitle,$formatdate,$url,$have_class,$r,$ret_r,$docode);     //here lead to execute php code ------------------------------ [-] Disclosure timeline: [19/10/2012] - Vulnerability discovered [20/10/2012] - Vendor notified,No responsed [01/11/2012] - CVE number requested [02/11/2012] - Assigned CVE-2012-5777 [05/11/2012] - Public disclosure