[VIM] 60cycleCMS <= 2.5.0 Remote File Include Exploit

Steven M. Christey coley at linus.mitre.org
Tue Dec 22 20:41:11 UTC 2009


On Tue, 22 Dec 2009, George A. Theall wrote:

> With a bit of encouragement from Steve...

oh, great, blame me ;-)

> Exploit DB's #10551 looks bogus to me. PoC is:
>
> [60cycleCMS_path]/common/sqlConnect.php?DOCUMENT_ROOT=[SHELL 
> DIRECTORY]/something

So I wish I had the direct reference at hand, but I'm pretty sure that 
older PHPs allowed overwriting of $_SERVER variables.  How old, I'm not 
sure...  I think Stefan Esser did some writeup on this.  But now I've dug 
up a 2006 post to VIM where I said the same thing and apparently never 
followed up...

There's always the risk of somebody implementing their own version of 
register_globals and poisoning $_SERVER that way, but the code snippet 
doesn't give enough context.

Ah yes, Stefan saves the day on this last angle:

http://www.suspekt.org/2009/02/06/some-facts-about-the-phplist-vulnerability-and-the-phpbbcom-hack/


> Code snippet from 2.5.0, which is supposedly affected:
>
> // include your sql info file here
> $root = $_SERVER['DOCUMENT_ROOT'];
> require "$root/../config.php";

Yeah, I can see how this would raise questions.  Code inspection would be 
needed.

In CVE, we've been somewhat agnostic on this general point because of my 
vague recollection that older PHP's allowed $_SERVER to be directly 
modified.

- Steve


More information about the VIM mailing list