[VIM] Free Articles Directory - file inclusion, code execution?
Steven M. Christey
coley at linus.mitre.org
Wed Mar 22 14:34:50 EST 2006
I did some followup analysis on this and (yet again) forgot to forward to
VIM.
-----
[CVE-2006-1350]
ACCURACY: verified using source inspection by Steve Christey on
20060321. Line 23 of index.php (dated 20051208) is:
include($_GET["page"].".php");
So this is file inclusion. The use of the "cmd" parameter in the exploit
is a standard manipulation in which the remote page delivers the code that
accepts the cmd parameter.
Full source of index.php is below.
I didn't see any clear version numbers; most source files are dated Dec 8,
2005.
- Steve
<?php session_start();
include("includes/config.inc");
include("includes/func.php");
include("query.php");
include("header.php");
if ($_GET["page"]=='')
if ($_GET["pagedb"]!='')
{
$sql="SELECT * FROM document_master where
doc_title='".\
$_GET["pagedb"]."'";
$cmd = mysql_query($sql);
$rs = mysql_fetch_array($cmd);?>
<br><?=getsettings(8,"",2);?><br><br>
<?echo $rs["doc_content"];
}
else
{
include("home.php");
}
else
{
include($_GET["page"].".php");
}
?>
<?include("footer.php"); ?>
More information about the VIM
mailing list