[VIM] False: Pluck 4.3 themes.php Remote File Inclusion and disclosure
George A. Theall
theall at tenablesecurity.com
Thu Aug 2 19:19:00 UTC 2007
The issues involving Pluck that were reported today by Aria Security
look bogus to me. Their posting is here:
http://archives.neohapsis.com/archives/bugtraq/2007-08/0017.html
First, we supposedly have a remote file include, but looking at the code
in 'data/inc/theme.php' from version 4.3 we see:
---- snip, snip, snip ----
function read_dir($dir) {
$path = opendir($dir);
while (false !== ($file = readdir($path))) {
if(($file !== ".") and ($file !== "..") and ($file !==
"themepref.php") a
nd ($file !== "predefined_variables.php")) {
if(is_file($dir."/".$file))
$files[]=$file;
else
$dirs[]=$dir."/".$file;
}
}
if($dirs) {
foreach ($dirs as $dir) {
include ("$dir/theme.php");
...
read_dir("data/inc/themes");
---- snip, snip, snip ----
In other words, the code claimed to be vulnerable occurs in a function
which is called with an argument that is not under the attacker's control.
Second, there's supposedly a file disclosure issue involving the same
script. The actual code looks like this:
---- snip, snip, snip ----
//Save the theme-data
if(isset($_POST['Submit'])) {
$data = "data/inc/themes/themepref.php";
$file = fopen($data, "w");
fputs($file, "<?php \$themepref = \"$cont\"; ?>");
fclose($file);
echo "$lang_theme3
<META HTTP-EQUIV=\"REFRESH\" CONTENT=\"3; URL=?action=options\">"; }
---- snip, snip, snip ----
Thus, the code is actually writing to a specific file -- no chance of
reading and displaying its contents.
Lastly... you have to be logged in to access the script as it starts
with this:
---- snip, snip, snip ----
//Check if we're logged in
if ($_SESSION["cmssystem_loggedin"] != "ok") {
echo "access denied";
exit; }
---- snip, snip, snip ----
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list