[VIM] some discrepancies: Linker IMG <=1.0 RFI
Steven M. Christey
coley at linus.mitre.org
Fri Jun 25 15:17:51 CDT 2010
EXPLOIT-DB:13964
Researcher: Sn!pEr.S!Te Hacker
This is claimed to be RFI, but source inspection suggests that it is at
best LFI.
...
include ("./function/base_info.php");
include ("./function/main_func.php");
include ("./function/$Sdb_type.php");
...
if ($lan_dir && file_exists("./$lan_dir/u_common.php"))
include ("./$lan_dir/u_common.php");
else include ("./$Slang/u_common.php");
First of all, the demo URL says "$lan_dir=[RFI]" but clearly $lan_dir is
processed by the cook_lan cookie (VUPEN already noticed this, which
prompted my investigation).
The include() is clearly only susceptible to LFI.
The "./function/$Sdb_type.php" include statement is presumably the source
of the "Sdb_type=[RFI]" vector claimed by the researcher, but my casual
source inspection suggests that $Sdb_type is probably set in an executable
config file that is generated on installation.
By the way, the $Slang vector above also seems to be a hard-coded config
value.
- Steve
More information about the VIM
mailing list