[VIM] ModuleBased CMS file include - CVE dispute
Heinbockel, Bill
heinbockel at mitre.org
Fri Sep 1 14:08:59 EDT 2006
Researcher: ScorpinO
BUGTRAQ:20060829 ModuleBased CMS alfa 1 Multiple Remote File Inclusion
http://www.securityfocus.com/archive/1/archive/1/444897/100/0/threaded
Provides several code snippets that show an include with the
$_SERVER[DOCUMENT_ROOT] parameter, including:
/admin/avatar.php:
<?php
include_once($_SERVER[DOCUMENT_ROOT]."/libs/profile.class.php");
include($_SERVER[DOCUMENT_ROOT]."/libs/config.php");
...
with the POC: htt
p://www.example.com/[mbcms]/admin/avatar.php?_SERVER=[evil script]
In PHP it is not possible to redeclare the _SERVER global array or the
_SERVER[DOCUMENT_ROOT] index. Hence, there is no possible way for an
attacker
to modify any of the variables inside the claimed include statements.
A download and verification of the code shows the php is as presented
by
the researcher. So no chance of a copy/paste error...
William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list