[VIM] DISPUTE: PHP file inclusion in Ariadne 2.4.1

Heinbockel, Bill heinbockel at mitre.org
Mon Nov 6 17:01:47 EST 2006 

Researcher: ajann
BUGTRAQ:20061106 Ariadne <= 2.4.1 Multiple Remote File Include
Vulnerabilities(New)
http://www.securityfocus.com/archive/1/archive/1/450709/100/0/threaded
XF:ariadne-storeconfig-file-include(30018)
BID:20916

*************************

Examining Ariadne 2.4.1, the reported issues are not possible
if the installation instructions are followed...

The files reported are:
/ftp/loader.php   <== assumed, this matches the posted code
/lib/includes/loader.cmd.php

The "loader.php" files include:
/ftp/loader.php
/soap/loader.php
/webdav/loader.php
/www/loader.php

Looking at any of the loader.php files, specifically
/ftp/loader.php, though they all include /www/ariadne.inc:

    if (!@include("../www/ariadne.inc")) {
        chdir(substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SE
        include("../www/ariadne.inc");
    }
    require($ariadne."/configs/ariadne.phtml");
    require($ariadne."/configs/ftp/$configfile");
    require($ariadne."/configs/store.phtml");
    require($ariadne."/includes/loader.ftp.php");
    require($ariadne."/configs/sessions.phtml");
    require($ariadne."/stores/".$store_config["dbms"]."store.phtml");
    require($ariadne."/nls/en");
    require($ariadne."/modules/mod_mimemagic.php");

    require($ariadne."/modules/mod_virusscan.php");

Looking in the www directory, there is a ariadne.inc-win and
ariadne.inc-unix...

>From the installation instructions referenced by the README and located
in /docs/install.txt and install.win.rtf, we see that:

2) Move the www, lib and files directories to their proper place.
Preferably you
   don't want the lib and files directories under the document root.
   e.g.:

     cd /usr/local/lib/
     tar xvzf ~/ariadne.2.4.1.tgz
     cd /var/www
     ln -s /usr/local/lib/ariadne/www/ ariadne
...
6) Copy the file www/ariadne.inc-unix to www/ariadne.inc and edit it to
reflect
   the includepath to the Ariadne lib directory.
[in ariadne.inc*:  $ariadne='/usr/local/lib/ariadne/lib';]

So, if the installation instructions are followed, neither of the two
issues
exist since the file is either in (1) a not publicly accessible
directory or
(2) includes the www/ariadne.inc file before using the $ariadne
variable.


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615

More information about the VIM mailing list