[VIM] DISPUTE: PHP file inclusion in Ariadne 2.4.1
Heinbockel, Bill
heinbockel at mitre.org
Mon Nov 6 17:01:47 EST 2006
Researcher: ajann
BUGTRAQ:20061106 Ariadne <= 2.4.1 Multiple Remote File Include
Vulnerabilities(New)
http://www.securityfocus.com/archive/1/archive/1/450709/100/0/threaded
XF:ariadne-storeconfig-file-include(30018)
BID:20916
*************************
Examining Ariadne 2.4.1, the reported issues are not possible
if the installation instructions are followed...
The files reported are:
/ftp/loader.php <== assumed, this matches the posted code
/lib/includes/loader.cmd.php
The "loader.php" files include:
/ftp/loader.php
/soap/loader.php
/webdav/loader.php
/www/loader.php
Looking at any of the loader.php files, specifically
/ftp/loader.php, though they all include /www/ariadne.inc:
if (!@include("../www/ariadne.inc")) {
chdir(substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SE
include("../www/ariadne.inc");
}
require($ariadne."/configs/ariadne.phtml");
require($ariadne."/configs/ftp/$configfile");
require($ariadne."/configs/store.phtml");
require($ariadne."/includes/loader.ftp.php");
require($ariadne."/configs/sessions.phtml");
require($ariadne."/stores/".$store_config["dbms"]."store.phtml");
require($ariadne."/nls/en");
require($ariadne."/modules/mod_mimemagic.php");
require($ariadne."/modules/mod_virusscan.php");
Looking in the www directory, there is a ariadne.inc-win and
ariadne.inc-unix...
>From the installation instructions referenced by the README and located
in /docs/install.txt and install.win.rtf, we see that:
2) Move the www, lib and files directories to their proper place.
Preferably you
don't want the lib and files directories under the document root.
e.g.:
cd /usr/local/lib/
tar xvzf ~/ariadne.2.4.1.tgz
cd /var/www
ln -s /usr/local/lib/ariadne/www/ ariadne
...
6) Copy the file www/ariadne.inc-unix to www/ariadne.inc and edit it to
reflect
the includepath to the Ariadne lib directory.
[in ariadne.inc*: $ariadne='/usr/local/lib/ariadne/lib';]
So, if the installation instructions are followed, neither of the two
issues
exist since the file is either in (1) a not publicly accessible
directory or
(2) includes the www/ariadne.inc file before using the $ariadne
variable.
William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list