[VIM] Storyteller CMS (var) Local File Inclusion Vulnerability
George A. Theall
theall at tenable.com
Fri Sep 17 20:57:18 CDT 2010
BorN To K!LL reported a local file inclusion vulnerability in
StoryTeller CMS -- covered by Exploit DB 14996 / Bugtraq 43201 -- and
offers the following code snippet from 'core.php':
function GetTemplate($var)
{
if (file_exists("templates/$var.tmp.php"))
{
require("templates/$var.tmp.php");
}
else
{
die ("Error: Can't open template $var");
}
return $EST_TEMPLATE;
}
as well as the following POC:
/core.php?var=[Local-File]%00
How's that exploitable? The file only uses '$var' as an argument in
various functions. And there's no way I see for an attacker to control
input to 'GetTemplate()'.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list