[VIM] shared code incolving pcltar.lib.php/g_pcltar_lib_dir RFI
Steven M. Christey
coley at mitre.org
Mon May 14 22:13:43 UTC 2007
Various disclosures for separate products have involved RFI in a file
named "pcltar.lib.php" (or pcltar.php) using $g_pcltar_lib_dir. CVE
analysis has shown that this stems from the Tar module 1.3 for Vincent
Blavet PhpConcept Library, called PclTar. The current version (dated
2003), 1.3.1, also has the problem.
Note: pcltrace.lib.php doesn't appear to be affected, as claimed for
the CJG EXPLORER disclosure.
Affected software is at least:
(1) Joomla! 1.5.0 Beta
(2) N/X Web Content Management System (WCMS) 4.5,
(3) CJG EXPLORER PRO 3.3
and probably (4) MiraksGalerie 2.62, whose disclosure had other
distinct vectors that seemed unrelated to PclTar (CVE-2006-2922).
I'm MERGING all these into CVE-2007-2199, see below.
You can get the original module, 1.3.1, here:
http://www.phpconcept.net/appli-download.php
And lib/pcltar.lib.php3 in the official distribution says:
// PhpConcept Library - Tar Module 1.3.1
...
// ----- Configuration variable
// Theses values may be changed by the user of PclTar library
if (!isset($g_pcltar_lib_dir))
$g_pcltar_lib_dir = "lib";
...
if (!defined("PCLERROR_LIB"))
{
include($g_pcltar_lib_dir."/pclerror.lib.".$g_pcltar_extension);
}
if (!defined("PCLTRACE_LIB"))
{
include($g_pcltar_lib_dir."/pcltrace.lib.".$g_pcltar_extension);
}
NOTE: the readme.txt for this module makes it clear that
g_pcltar_lib_dir needs to be set, but this is more difficult to
evaluate when other software uses this module.
In the CJG EXPLORER disclosure (milw0rm 3915), the researcher claims:
File : /pcltrace.lib.php
include($g_pcltar_lib_dir."/pclerror.lib.php");
HOWEVER:
1) There is NO include() call in pcltrace.lib.php in the official
distribution for 1.3.1, neither is it in 1.0.
2) Neither is there such a call in GJG EXPLORER.
So, I'd say that CVE disputes the pcltrace.lib.php claim but verifies
the pcltar.lib.php claim.
- Steve
More information about the VIM
mailing list