[VIM] Vendor ACK for VWar issue - VWar used by PhpNuke Clan

Steven M. Christey coley at mitre.org
Mon Apr 3 23:08:59 EDT 2006



Vendor has provided ACK and fix for CVE-2006-1503.

The front page of the VWar web site (http://www.vwar.de/) says:

  31.03.2006 18:07

  ATTENTION: MAJOR SECURITY UPDATE

  This vulnerability has been reported on securityfocus.com.  We
  recommend to replace the file functions_install.php as soon as
  possible.

  fixed: XSS bug in functions_install.php which could allow malicious
  users to include a (remote) file and eg. execute php commands on the
  server hosting vwar

Obviously, the developer is referring to file inclusion and not "XSS"

Also, for those who care, the following PhpNuke Clan web announcement
shows that it uses VWar as a module:

  http://www.codezwiz.com/article492-phpnuke-clan-210-has-been-released.html

  "PHPNUKE-CLAN.COM Release the new version of PNC! The version 2.1.0
  With VWAR & Server Viewer installed on it! The installation are
  simplified, more block for VWAR and JAG Online for the User Info
  blocks! "

This could be relevant for this Bugtraq post:

  BUGTRAQ:20060401 PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit
  http://www.securityfocus.com/archive/1/archive/1/429615/100/0/threaded

since the demonstration URL here shows the VWar relationship:

  modules/vWar_Account/includes/functions_common.php?vwar_root2=


HOWEVER: since the include file and parameter name are different than
original reported vectors for VWar, this could be a separate issue.

PHPNuke Clan requires registration to download, and so does vWar, so I
didn't investigate any further.

- Steve


More information about the VIM mailing list