[VIM] mxBB Smartor Album - possible milw0rm dispute
George A. Theall
theall at tenablesecurity.com
Wed Nov 8 17:13:20 EST 2006
Steven M. Christey wrote:
> Apparently an RFI was reported in
> http://www.milw0rm.com/exploits/2723, which seems to be the only raw
> source. BID:20932 and XF:smartor-album-file-include(30015) are other
> references. However, the milw0rm URL has since become blank. I
> emailed str0ke about it, and he recalled removing it because it didn't
> look legit after some investigation.
I set up Smartor Album 1.02 and mxBB 2.7.7 and, after looking at the
code and playing with it a bit, I doubt the issue is valid. The
manipulation of global variables that I had noticed in common.php only
unsets them if register_globals is enabled; I didn't see any way for the
supposedly affected module_root_path parameter to be manipulated by an
attacker. Even trying Esser's trick of passing along numeric parameters
to avoid unsetting the actual parameter didn't work -- the script dies
with "Hacking attempt".
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list