[VIM] What the *#$(! -- b2evolution RFI [False]
Heinbockel, Bill
heinbockel at mitre.org
Fri Apr 27 15:07:52 UTC 2007
>From s433d:
Remote File Inclusion
http://www.securityfocus.com/archive/1/archive/1/466886/100/0/threaded
What is going on with the recent trends of really weird exploits:
b2evolution\blogs/a_noskin.php?require=shell?
b2evolution\blogs/a_stub.php?_blog_main.inc.php=shell?
b2evolution\blogs/admin.php?inc_path=
b2evolution\blogs/admin.php?errors/_access_denied.inc.php=shell?
b2evolution\blogs/admin.php?inc_path=shell
Let's see, Windows backslashes? CHECK
File names as parameters? CHECK
Empty PoC examples? CHECK
Unverified exploits? CHECKITY CHECK CHECK
What's the real issue?
n00b? really bad scripter? clueless "kiddie"?
All of the above?
Anyway, on to the Disputes!
>From b2evolution 1.9.3 "rainforest" edition:
(1) The inc_path variable is defined in conf/_advanced.php,
which is included by conf/_config.php, which is included
before all later uses of inc_path in all of the following files:
blogs/a_noskin.php
blogs/a_stub.php
blogs/admin.php
blogs/contact.php
blogs/default.php
blogs/index.php
blogs/multiblogs.php
And he forgot one:
blogs/summary.php - which also includes conf/_config.php before
$inc_path
All of the following are also declared in conf/_advanced.php:
(2) $view_path in blogs/admin.php
(3) $control_path.$ctrl_mappings[$ctrl] in blogs/admin.php
[ctrl_mappings[$ctrl] appears to be checked against a static list]
(4) $skins_path in blogs/contact.php and blogs/multiblogs.php
I'm not even going to bother with debunking the example exploits...
William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list