[VIM] CVE-2006-5402, fishy?
Stuart Moore
smoore at securityglobal.net
Wed Oct 18 22:58:45 EDT 2006
Based on a not-quite-complete analysis, this one looks suspicious:
I can't find a copy of version 2.1. However, in looking at newer
versions (2.1.29 and 3.0.1) and in looking at old code from CVS, it
appears that $include_path is specified.
In version 2.1.29, the 'index.php' script (v 1.10 2005/09/19 13:42:00) says:
include_once ("./includes/config.inc.php");
And the 'config.inc.php' script (v 1.50.2.24 2006/09/30 11:01:16) says:
$class_path = 'classes'; // classes
So that should prevent any attack via 'class_path' in 2.1.29.
And checking the earlier code from the now defunct CVS repository on
sourceforge (circa release 1.0 time frame):
index.php,v 1.29 2004/01/13 06:39:29:
10 include ("./includes/error_report.inc.php") ;
11 include ("./includes/global_vars.inc.php") ;
12 include ("./includes/config.inc.php");
cart.php,v 1.21 2004/04/06 08:11:03:
10 $base_path=".";
11 $base_auth = "";
12 $base_title = "\$msg[396]";
13 require_once ("$base_path/includes/init.inc.php");
14
15 // modules propres à cart.php ou à ses sous-modules
16 include("$include_path/cart.inc.php");
init.inc.php,v 1.14 2004/03/02 09:12:56:
35 include ("$base_path/includes/error_report.inc.php") ;
36 include ("$base_path/includes/global_vars.inc.php") ;
37 require("$base_path/includes/config.inc.php");
38
39 // prevents direct script access
40 if(preg_match('/init\.inc\.php/', $REQUEST_URI)) {
41 include('forbidden.inc.php'); forbidden();
42 }
43
44 $include_path = $base_path."/".$include_path;
45 $class_path = $base_path."/".$class_path;
config.inc.php,v 1.28 2003/12/22 13:52:12:
134 $include_path = 'includes'; // includes
135 $class_path = 'classes'; // classes
So, that should prevent attacks via include_path or class_path.
I've written to the vendor for confirmation.
Stuart
More information about the VIM
mailing list