[VIM] clearBudget v0.9.8 Remote File Include Vulnerability

George A. Theall theall at tenable.com
Wed Aug 11 09:43:04 CDT 2010 

Looks like the same sort of problem with Exploit DB 14614 / Bugtraq  
42351 -- the supposedly affected file defines a class, and there's no  
way for an attacker to control the '$actionPath' variable:

   <?php
   /**
   * File holding the controller class
   *
   * @author       Fabrice Douteaud <admin at clearbudget.net>
   * @package      framework
   * @access       public
   */

   / 
***********************************************************************

     Copyright (C) 2008  Fabrice Douteaud (admin at clearbudget.net)

       This file is part of ClearBudget.

       ClearBudget is free software: you can redistribute it and/or  
modify
       it under the terms of the GNU General Public License as  
published by
       the Free Software Foundation, either version 3 of the License, or
       (at your option) any later version.


       ClearBudget is distributed in the hope that it will be useful,
       but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
       GNU General Public License for more details.

       You should have received a copy of the GNU General Public License
       along with ClearBudget.  If not, see <http://www.gnu.org/licenses/ 
 >.

    
************************************************************************/

   /**
   * Class managing the flow of event from a given request. It  
controls the actions
   * that are requested and build the output message.
   *
   * this is the applicaton controller.
   *
   * @author       Fabrice Douteaud <admin at clearbudget.net>
   * @package      framework
   * @access       public
   */
   class class_controller {
   ...
     public function doAction() {
   ...
         $actionPath = 'actions'.DIRECTORY_SEPARATOR.$context- 
 >action.'.php';
         // if file does not exist, we simply continue
         if(file_exists($actionPath)) {
           // includes the files (i.e.: execute it)
           include($actionPath);
   ...
       }
   ...
     public function includeAction($action) {
   ...
       $actionPath = 'actions'.DIRECTORY_SEPARATOR.$action.'.php';
       // if file does not exist, we simply continue
       if(file_exists($actionPath)) {
         // includes the files (i.e.: execute it)
         include($actionPath);
   ...
       }
   ...
     }
   ?>


George
-- 
theall at tenablesecurity.com

More information about the VIM mailing list