[VIM] REMOTE FILE INCLUSION ( ALL )

Wed Jun 14 23:10:13 EDT 2006

Similar problem in CVE-2006-2871 (Cyboards), where the 
'/include/common.php' script includes the '/include/config.php' script 
and that the 'include/config.php' script defines the $script_path 
parameter to be a static path value.

Stuart

Steven M. Christey wrote:
> I just sent the following to Bugtraq.  Does anybody know of a provably
> correct disclosure from SpC-x?  I've only recently noticed the name.
> 
> Some of the disclosures were so out there that I started to question
> my own assumptions, like: "well, maybe if you have one statement that
> sets a variable to a fixed value and the very next statement has an
> allegedly vulnerable include statement that uses that variable, maybe
> there's some weird OS-specific multiprocessor asynchronous threading
> 64-bit uncleared-register vulnerability related to some poorly
> documented side effect in an API function's implementation deep in the
> PHP interpreter that nobody's noticed but somehow appears in enough
> real-world environments that a bunch of cut-and-paste kiddies are
> hacking into live systems because fools like me are only looking at
> source code and assuming there's no problem."
> 
> Yeah, Vegas is starting to sound pretty good right about now...
> 
> ============================================================
> 
> This post appears to have some errors.
> 
> What PHP version, environment, and operating system did you use to
> test this?  Did you use a real web site, or did you just look at the
> source code?
> 
> When a variable is used in a require or include statement, you must
> make sure that the variable can be controlled by an attacker.  If the
> variable is set to a fixed value, or it can only be changed by the
> administrator, then it probably is not a vulnerability.
> 
>> CzarNews v1.14 Version - Remote File Include Vulnerabilities
>>
>> Link : http://www.root-security.org/danger/CzarNews.txt
> 
> If you search google.com for "CzarNews," then the 4th item is a
> Secunia advisory for exactly the same vulnerability, which is
> attributed to brOmstar and first announced sometime in March 2005.
> That was not mentioned here.
> 
>> Simpnews <= All version - Remote File Include Vulnerabilities
>>
>> Link : http://www.root-security.org/danger/Simpnews.txt
> 
> It will be interesting to see the answer to str0ke's question about
> this problem, since the source code suggests that there is no
> vulnerability.
> 
>> phphg Guestbook Signed.PHP - Remote File Include Vulnerabilities
>>
>> Link : http://www.root-security.org/danger/phphgGuestbook.txt
> 
> The original source code as quoted from this advisory says:
> 
>> # $phphg_real_path = "./";
>> # include($phphg_real_path . 'common.php');
> 
> which doesn't seem exploitable as presented, since $phphg_real_path is
> set to a static value that is not controlled by an attacker.
> 
>> Flog 1.1.2 Version - Remote File Include Vulnerabilities
>>
>> Link : http://www.root-security.org/danger/Flog.txt
> 
> this link gives the code example:
> 
>> # $FLog_dir_include = 'include/';
>> ...
>> require_once($FLog_dir_include.'core.inc.php');
> 
> and, again, the variable is set to a static value.
> 
>> wheatblog 1.0 Version - "wb_inc_dir" Parameter File Inclusion
>> Vulnerability
>>
>> Link : http://www.root-security.org/danger/wheatblog.txt
> 
> which says:
> 
>> # require_once('./settings.php');
>> ...
>> # include_once("$wb_inc_dir/header.php");
>> ...
>> # http://www.victim.com/wheatblog/view_links.php?wb_inc_dir=Command-Shell
> 
> view_links.php does not define $wb_inc_dir, but if we look at
> settings.php, we have:
> 
>> 	$wb_dir = 		'/www/wheatblog';  
>> 	$wb_inc_dir   = "$wb_dir/includes";
> 
> So, if the administrator sets $wb_dir to a fixed value, then
> $wb_inc_dir cannot be controlled by an attacker.
> 
>> MD News 1 Version - Remote File Include Vulnerabilities
>>
>> Link : http://www.root-security.org/danger/MDNews.txt
> 
> the extracted code from this link says:
> 
>> # $configfile = "config.php";
>> # require $configfile;
> 
> and gives a demonstration URL:
> 
>> # http://www.victim.com/MD News/latest.php?configfile=Command-Shell
> 
> but here, again, the variable is defined to a static value (this
> particular source code can be seen from
> http://scripts.ringsworld.com/news-publishing/mdnews/latest.php.html)
> 
> 
> I did not examine the claims for the other products that were listed
> in the original post.
> 
> - Steve
> 

-- 
Stuart Moore
SecurityTracker.com
SecurityGlobal.net LLC
smoore at securityglobal.net
+1 301 495 5930 voice
+1 413 691 4346 fax