[VIM] source VERIFY - PEGames RFI
Steven M. Christey
coley at mitre.org
Thu Nov 30 19:14:46 EST 2006
Researcher: DeltahackingTEAM
Ref: http://www.milw0rm.com/exploits/2840
We have another variable extraction issue. These are fun to find,
even though you always have to remember to look out for them.
1) "Download" URL provided in advisory has no "Index.php", rather, an
"index.php".
2) index.php has:
include_once("./settings.php");
...
include_once("$abs_url/display.php");
3) settings.php sets $abs_url to a constant value. A-ha! Looks like
typical dispute (wanna guess what my original subject line said?)
4) BUT... the next lines in index.php after that include are:
$types_to_register = array('GET', 'POST', 'COOKIE', 'SESSION', 'SERVER', 'FILES');
foreach ($types_to_register as $type) {
$arr = @${'HTTP_' . $type . '_VARS'};
if (@count($arr) > 0)
extract($arr, EXTR_OVERWRITE);
}
5) and, sure enough, later in the code, we have:
include_once("$abs_url/cookie.php");
as well as
include_once("$abs_url/template2.php");
- Steve
More information about the VIM
mailing list