[VIM] Jetbox CMS file include - CVE dispute
Heinbockel, Bill
heinbockel at mitre.org
Wed Aug 30 08:50:55 EDT 2006
>-----Original Message-----
>From: vim-bounces at attrition.org
>[mailto:vim-bounces at attrition.org] On Behalf Of Stuart Moore
>Sent: Mittwoch, 30. August 2006 01:43
>To: Vulnerability Information Managers
>Subject: Re: [VIM] Jetbox CMS file include - CVE dispute
>
>Steve,
>
>I'm confused. The PHP tags are awkward, but not nested. It
>seems that
>all of the include statements are fully within the phpdigSearch()
>function, but the function is not actually called within that
>file, and
>so it cannot be exploited. The function *is* called from search.php
>(and that is the only calling script), but the $relative_script_path
>parameter is defined right before the call.
>
>Stuart
>
Yes, this is what I saw... PHP will accept some seemingly weird stuff.
In this case the code was similar to:
<?php function foo($relative_script_path='.') { ?>
... some HTML and php ...
<?php include $relative_script_path/file.php ?>
... some more HTML ...
<?php } // <-- end of function foo() ?>
I think that Steve missed this fact, especially not evident since
the "function" is 400+ lines long and the include is burried in the
center of it all.
BTW, this is CVE-2006-4422.
More information about the VIM
mailing list