[VIM] probably true: SimpGB RFI, likely dynamic variable evaluation
Steven M. Christey
coley at mitre.org
Thu May 24 18:01:01 UTC 2007
Researcher: the_Edit0r
Ref: BUGTRAQ SimpGB v1.46.0 Remote File Include Exploit
http://www.boesch-it.de/progsys/download.php?filenr=9&lang=en
First glance at guestbook.php shows:
require_once('./config.php');
and config.php (distributed as config.dist.php) has:
$path_simpgb = getenv("DOCUMENT_ROOT")."/simpgb";
but then, back in guestbook.php, we have:
require($path_simpgb.'/includes/global.inc');
whose name, history has demonstrated, suggests the possibility of
dynamic variable evaluation.
Sure enough, includes/global.inc has:
while( list($var, $param) = @each($_GET) )
{
if(!isset($$var))
{
if((substr($var,0,4)!="url_") && (substr($var,0,5)!="path_"))
{
$$var=$_GET[$var];
if(!get_magic_quotes_gpc())
$$var=addslashes($$var);
}
$$var, total awesomeness.
But wait! This is in a nested include. Where does the RFI come in,
utilizing $path_simpgb?
Ah, at the end of global.inc, we have:
include($path_simpgb.'/includes/timezones.inc');
I've only done source analysis though, and this is nested deep enough
that I'm not 100% confident in my conclusions.
- Steve
More information about the VIM
mailing list