[VIM] Likely vendor fix for Faq Administrator 2.1b

Steven M. Christey coley at mitre.org
Tue Oct 31 17:16:24 EST 2006


Reference:

  MISC:http://www.milw0rm.com/exploits/2678

Faq Admninistrator 3.0 was apparently released today, at the same URL
as mentioned in the milw0rm page.  Many files are dated Oct 31.

The "update.txt" file says:

  This is a security patch release!

  ...

  A bug has been found that may allow code to be ran on your system.

  ...

  1) DELETE:

  c2.php 
  c3.php 
  blank.php
  faqsend.php 
  faq_reply.php
  hist_replycount.php
  mail.php
  reply_count.php
  total_asked.php

Using the powerful technique of URL guessing, I was able to download
the older 2.1b version.  faq_reply.php has this code:

  include ("$email");

grep showed that this was the only place where a variable was used in
an include, require, or open statement.

Given the date and the solution, I think this will be treated as
sufficient acknowledgement by CVE.

But, now there's a question of the other files that got deleted.
Based on *casual* inspection, it appears that the other files were
merged into two patch files.  These deleted files only contained 6 to
30 lines each.  It's not clear whether this combination was defensive
or not, although there did seem to be some possibility of variable
modification, although some files such as blank.php didn't have any
code at all.  I didn't look too closely.

- Steve


More information about the VIM mailing list