[VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability
str0ke
str0ke at milw0rm.com
Thu Mar 15 20:03:48 UTC 2007
How goes it Ferdy,
content.php contains:
line 5: include "$c_basepath/base/groupit.start.inc";
groupit.start.inc contains (if ! register_globals or if magic quotes =
on the program is vulnerable)
if (!get_cfg_var("register_globals") || (get_magic_quotes_gpc()))
{
/* Register our own global variables when register_globals in
php.ini is disabled. */
reset($HTTP_ENV_VARS);
reset($HTTP_GET_VARS);
reset($HTTP_POST_VARS);
reset($HTTP_COOKIE_VARS);
reset($HTTP_SERVER_VARS);
while (list ($key, $val) = each ($HTTP_POST_FILES)) $GLOBALS[$key]=$val;
while (list ($key, $val) = each ($HTTP_ENV_VARS)) $GLOBALS[$key]=$val;
while (list ($key, $val) = each ($HTTP_GET_VARS)) {
$GLOBALS[$key]=stripslashes($val); echo "$key $val"; }
while (list ($key, $val) = each ($HTTP_POST_VARS))
$GLOBALS[$key]=stripslashes($val);
while (list ($key, $val) = each ($HTTP_COOKIE_VARS)) $GLOBALS[$key]=$val;
while (list ($key, $val) = each ($HTTP_SERVER_VARS)) $GLOBALS[$key]=$val;
if (is_array($HTTP_POST_FILES))
{
reset($HTTP_POST_FILES);
while (list($key, $val) = each($HTTP_POST_FILES))
{
$GLOBALS[$key] = $val['tmp_name'];
$GLOBALS["$key" . "_name"] = $val['name'];
$GLOBALS["$key" . "_size"] = $val['size'];
$GLOBALS["$key" . "_type"] = $val['type'];
}
}
}
Later down the file line 96.
Contains: include "$c_basepath/base/groupit.library.inc";
I'm pretty sure this is where the vuln is occuring.
/str0ke
More information about the VIM
mailing list