[VIM] Provable vendor ack for phpCMS
Steven M. Christey
coley at mitre.org
Thu Jun 2 16:44:00 EDT 2005
The recent phpCMS class.layout_phpcms.php/language file
include/directory traversal vulnerability is described here:
:REFERENCE BUGTRAQ:20050602 SEC-CONSULT SA20050602-1 :: Arbitrary File Inclusion in phpCMS 1.2.x
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111773774916907&w=2
Researcher claims acknowledgement, but the text here:
http://www.phpcms.de/download/index.en.html
is somewhat vague - "There was a security vulnerability discovered."
Proof of vendor acknowledgement of this specific issue follows:
- the download ZIP file for the security fix mainly includes
class.layout_phpcms.php, which has hard-coded values for the
language parameter.
- In addition, source code review of the CVS repository for
class.layout_phpcms.php here:
http://cvs.sourceforge.net/viewcvs.py/phpcms/phpcms/parser/include/class.layout_phpcms.php?rev=1.12.2.37&view=markup
shows that the original 1.2.1 version used user input for the
language parameter:
include($PHPCMS_INCLUDEPATH.'/language.'.$_GET[language]);
(where the version for the security fix looks like this:
if ($_GET['language'] == 'de') {
include($PHPCMS_INCLUDEPATH.'/language.de');
} else {
include($PHPCMS_INCLUDEPATH.'/language.en');
Thus, the bug mentioned in the Bugtraq post was fixed by this security
update.
- Steve
More information about the VIM
mailing list