[VIM] What the *#$(! -- b2evolution RFI [False]

Heinbockel, Bill heinbockel at mitre.org
Fri Apr 27 15:07:52 UTC 2007


>From s433d:
 Remote File Inclusion
 http://www.securityfocus.com/archive/1/archive/1/466886/100/0/threaded

What is going on with the recent trends of really weird exploits:
b2evolution\blogs/a_noskin.php?require=shell?
b2evolution\blogs/a_stub.php?_blog_main.inc.php=shell?
b2evolution\blogs/admin.php?inc_path=
b2evolution\blogs/admin.php?errors/_access_denied.inc.php=shell?
b2evolution\blogs/admin.php?inc_path=shell

Let's see, Windows backslashes? CHECK
File names as parameters? CHECK
Empty PoC examples? CHECK
Unverified exploits? CHECKITY CHECK CHECK

What's the real issue?
n00b? really bad scripter? clueless "kiddie"?
All of the above?



Anyway, on to the Disputes!
>From b2evolution 1.9.3 "rainforest" edition:

(1) The inc_path variable is defined in conf/_advanced.php,
which is included by conf/_config.php, which is included
before all later uses of inc_path in all of the following files:
blogs/a_noskin.php
blogs/a_stub.php
blogs/admin.php
blogs/contact.php
blogs/default.php
blogs/index.php
blogs/multiblogs.php

And he forgot one:
blogs/summary.php - which also includes conf/_config.php before
$inc_path


All of the following are also declared in conf/_advanced.php:
(2) $view_path in blogs/admin.php
(3) $control_path.$ctrl_mappings[$ctrl] in blogs/admin.php
[ctrl_mappings[$ctrl] appears to be checked against a static list]
(4) $skins_path in blogs/contact.php and blogs/multiblogs.php

I'm not even going to bother with debunking the example exploits...


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615


More information about the VIM mailing list