[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure
George A. Theall
theall at tenablesecurity.com
Thu Apr 26 00:14:59 UTC 2007
Someone help me out please... Milw0rm 3800 / Bugtraq 23643 are for a
flaw that looks like a directory traversal; ie,
Exploit:[Path_ext]/examples/layout/feed-proxy.php?feed=../../../../../../etc/passwd
Yet when I look at the code from either version 1.0 alpha 1 (from
<http://yui-ext.com/deploy/ext-1.0-alpha1.zip>), which is supposedly
affected, or 1.0 (from <http://extjs.com/deploy/ext-1.0.zip>), the
latest version, the affected file has the following code:
$feed = $_REQUEST['feed'];
if($feed != '' && strpos($feed, 'http') === 0){
header('Content-Type: text/xml');
readfile($feed);
return;
}
Now doesn't the strpos() along with the "===" test mean that the feed
parameter must start with "http"??? So did Alkomandoz Hacker bother to
test his/her proof of concept???
Now I suppose if the remote has allow_url_fopen enabled, you might be
able to abuse this to try to hide yourself from attacks against
third-party sites, but that's a separate issue.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list