[VIM] Likely vendor fix for Faq Administrator 2.1b
Steven M. Christey
coley at mitre.org
Tue Oct 31 17:16:24 EST 2006
Reference:
MISC:http://www.milw0rm.com/exploits/2678
Faq Admninistrator 3.0 was apparently released today, at the same URL
as mentioned in the milw0rm page. Many files are dated Oct 31.
The "update.txt" file says:
This is a security patch release!
...
A bug has been found that may allow code to be ran on your system.
...
1) DELETE:
c2.php
c3.php
blank.php
faqsend.php
faq_reply.php
hist_replycount.php
mail.php
reply_count.php
total_asked.php
Using the powerful technique of URL guessing, I was able to download
the older 2.1b version. faq_reply.php has this code:
include ("$email");
grep showed that this was the only place where a variable was used in
an include, require, or open statement.
Given the date and the solution, I think this will be treated as
sufficient acknowledgement by CVE.
But, now there's a question of the other files that got deleted.
Based on *casual* inspection, it appears that the other files were
merged into two patch files. These deleted files only contained 6 to
30 lines each. It's not clear whether this combination was defensive
or not, although there did seem to be some possibility of variable
modification, although some files such as blank.php didn't have any
code at all. I didn't look too closely.
- Steve
More information about the VIM
mailing list