[VIM] Esvon Classifieds 4.0 Multiple Vulnerabilities

George A. Theall theall at tenable.com
Sat Sep 18 19:15:10 CDT 2010


Sn!pEr.S!Te reported some vulnerabilities in Esvon Classifieds 4.0 --  
covered by Exploit DB 14817 / Bugtraq 42819 -- that look bogus to me.

The first is a command execution issue involving the 'sql' parameter  
in 'inc/pdo.inc.php'. Looking at the copy of the file attached to the  
Exploit DB advisory, the file in question comes into play only if the  
funciton 'mysql_connect' does not exist and the 'PDO' class does, and  
it consists of a series of function definitions that extend the PDO  
class, but none that an attacker can reach by calling the file  
directly. I'm also not sure exactly which code Sn!pEr.S!Te sees as a  
problem; perhaps:

   class esPDO extends PDO {
     var $_aff_rows = 0;
     function exec($sql){
       return $this->_aff_rows = parent::exec($sql);

Grep & gripe perhaps?

The other issue is a local file inclusion issue in 'inc/ 
class.phpmailer.php'. The trouble is, that file simply defines a class  
-- an attacker can't reach any of the functions in it by calling the  
file directly. And even if you could, the only instances where  
'lang_type' come into play is this:

   function SetLanguage($lang_type, $lang_path = 'language/') {
     /*if(file_exists($lang_path.'phpmailer.lang-'.$lang_type.'.php')) {
       include($lang_path.'phpmailer.lang-'.$lang_type.'.php');
     } elseif (file_exists($lang_path.'phpmailer.lang-en.php')) {
       include($lang_path.'phpmailer.lang-en.php');
     } else {*/

Note the multiline comment means there's no issue even if you could  
somehow call that function.


George
-- 
theall at tenablesecurity.com





More information about the VIM mailing list