[VIM] Local File Inclusion inconclusive in PwP (was Fwd: php web portail [remote file include & local fileinclude])

Heinbockel, Bill heinbockel at mitre.org
Fri Feb 2 15:43:32 EST 2007


>-----Original Message-----
>From: vim-bounces at attrition.org 
>[mailto:vim-bounces at attrition.org] On Behalf Of str0ke
>Sent: Donnerstag, 1. Februar 2007 16:58
>To: Vulnerability Information Managers
>Subject: [VIM] Fwd: php web portail [remote file include & 
>local fileinclude]
>
>The local include doesn't seem right.
>
>/index.php
>
>$site_path="./";
>

Right, it doesn't seem right, because you're looking at the wrong
parameter ;-)

The original PoC was for the page parameter.
/index.php?page=../../../../../../../../../../../../../../../../../../.
./etc/passwd

After doing some further digging, it is still unclear as to whether
the issue is valid. index.php includes includes/includes.php, which
includes
includes/function/function.php, which is used by includes.php to import
every file under includes/classes/php4/. This ends up including roughly
50 other PHP files...

Looking for use of the $page variable, shows that
system/compteur/Compteur.class.php and system/redirection.class.php
may be vulnerable. However I did not spend the time to dig through call
stacks
to see if the functions are ever called starting from index.php.

In the end, CVE calls this inconclusive...
Too many vulnerabilities, too little time.

BTW, str0ke was right with the RFI; that one is definitely possible.


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615 


More information about the VIM mailing list