[VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability
George A. Theall
theall at tenablesecurity.com
Thu Mar 15 20:09:49 UTC 2007
On 03/15/07 15:44, Ferdy Riphagen wrote:
> html/content.php contains:
> <?
> $c_category = !isset($c_category)? "":$c_category;
> include "./basepath.php";
> $c_module = "content";
> include "$c_basepath/base/groupit.start.inc";
..
> After normal install basepath.php has (my case)
> <?
> $c_basepath = "/chroot/apache2/www/test/groupit/groupit";
> $c_block_cache = 1;
> ?>
>
> I couldn't find load.inc.php, userprofile.php, dispatch.php (or I need
> some sleep)
I haven't set it up, but looking at the code in
groupit/base/groupit.start.inc I see it registers any global variables
passed in if register_globals is disabled or magic_quotes_gpc is
enabled; eg,
if (!get_cfg_var("register_globals") || (get_magic_quotes_gpc()))
{
/* Register our own global variables when register_globals in
php.ini is disabled. */
reset($HTTP_ENV_VARS);
reset($HTTP_GET_VARS);
reset($HTTP_POST_VARS);
reset($HTTP_COOKIE_VARS);
reset($HTTP_SERVER_VARS);
while (list ($key, $val) = each ($HTTP_POST_FILES))
$GLOBALS[$key]=$val;
while (list ($key, $val) = each ($HTTP_ENV_VARS)) $GLOBALS[$key]=$val;
while (list ($key, $val) = each ($HTTP_GET_VARS))
$GLOBALS[$key]=stripslashes($val);
while (list ($key, $val) = each ($HTTP_POST_VARS))
$GLOBALS[$key]=stripslashes($val);
while (list ($key, $val) = each ($HTTP_COOKIE_VARS))
$GLOBALS[$key]=$val;
while (list ($key, $val) = each ($HTTP_SERVER_VARS))
$GLOBALS[$key]=$val;
So while I don't know about the missing files, it does seem that an
attacker may be able to overwrite $c_basepath, which will then be used
further down in this file to include at least two files.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list