[VIM] clarification of "VihorDesign" (not VihorDesing) issues

[George A. Theall]

Steven M. Christey wrote:

> If you Google, the company seems to be "ViHor Design".
> 
> For humor, type "vihordesing" into Google and compare the results to
> "vihordesign".

Great minds think alike? :-)

> Since fopen() can support remote URLs, we have what might appear to be
> a classic PHP remote file issue.  However, this is in an fopen(), and
> it's not being fed into an include/require statement; it's just
> echoing the results back to the client.  So I don't see how it can be
> used for code execution.

I don't either. I even set up 1.0.6 locally and tried exploiting it --
no code execution, at least on the target host.

> Interestingly though, that's not the attack vector suggested by the
> researcher in the original Bugtraq post, who used <script> tags in the
> page parameter.  Since we now know that "page" is only used in an
> fopen call, the "<script>" input must be triggering a verbose PHP
> error on an fopen failure, which doesn't quote the HTML tags.

Running something like:

  echo -e 'GET
/vihor/index.php?page=<script>alert("peek-a-boo")</script>
HTTP/1.0\r\n\r\n' | nc target 80

under PHP 4.4.0-pl1-gentoo returns a line like the following:

  <b>Warning</b>:  fopen(<script>alert("peek-a-boo")</script>): failed
to open stream: No such file or directory in
<b>/var/www/localhost/htdocs/vihor/index.php</b> on line <b>97</b><br />

so yes, you do have a cross-site scripting flaw provided display_errors
is enabled. Interestingly, though, the next error line is like:

  <b>Warning</b>:  feof(): supplied argument is not a valid stream
resource in <b>/var/www/localhost/htdocs/vihor/index.php</b> on line
<b>98</b><br />

and this repeats continually. So if you try this in a browser, you'll
probably hang the browser before you pop-up any alert boxes.

George
-- 
theall at tenablesecurity.com