[VIM] Vendor dispute for CAN-2005-1181 (Ariadne PHP file include)
Steven M. Christey
coley at linus.mitre.org
Tue Jul 5 13:55:53 EDT 2005
Vendor dispute for CAN-2005-1181.
I downloaded the source code - still 2.4 - and verified that both
"ariadne.inc-unix" and "ariadne.inc-win" in the www directory - presumably
one of them is renamed to ariadne.inc on install - sets the $ariadne
variable before any require/includes occur in loader.php.
The original research was probably a grep-and-gripe. Suddenly I feel like
writing an editorial on the apparent rise of grep-and-gripe vulnerability
reporting...
- Steve
---------- Forwarded message ----------
Date: Mon, 04 Jul 2005 13:16:54 +0200 (CEST)
From: Gijsbert te Riet <gijs at muze.nl>
To: cve at mitre.org
Subject: CVE id: CAN-2005-1181
Dear reader,
The vulnerability report on your site, titled 'Ariadne Include File Flaw
Lets Remote Users Execute Arbitrary Commands', is inaccurate.
The report states that, by passing the variable 'ariadne' to the system,
"A remote user can execute arbitrary commands on the target system". This is
flawed, since on each request, the first thing that is done, is setting
the 'ariadne' variable to a admin configed string. This is done by loading
the configuration file 'ariadne.inc'. After that, the 'ariadne' variable will
not contain any information entered via web.
We regret it that we were not informed about this 'flaw' before you
published it on your site, and had to find it by accident. It would have
been more appropriate to contact the developer of the system before letting
lose this kind of critical information. That way a fix (or in this case, an
counter argument) could have been made in a day, instead of 4 months.
We hope you will update your entry with this information, and inform us the
next time an issue about one of our project arises.
With kind regards,
Gijsbert te Riet.
Muze/ Ariadne.
More information about the VIM
mailing list