[VIM] CVE-2006-5402, fishy?

Stuart Moore smoore at securityglobal.net
Thu Oct 19 07:10:27 EDT 2006 

Well, the vendor says that version 3.01 is indeed vulnerable.  There is 
a patch at:

http://www.sigb.net/patch.php

Stuart


Stuart Moore wrote:
> Based on a not-quite-complete analysis, this one looks suspicious:
> 
> I can't find a copy of version 2.1.  However, in looking at newer 
> versions (2.1.29 and 3.0.1) and in looking at old code from CVS, it 
> appears that $include_path is specified.
> 
> In version 2.1.29, the 'index.php' script (v 1.10 2005/09/19 13:42:00) 
> says:
> 
>   include_once ("./includes/config.inc.php");
> 
> And the 'config.inc.php' script (v 1.50.2.24 2006/09/30 11:01:16) says:
> 
>   $class_path        = 'classes';                // classes
> 
> So that should prevent any attack via 'class_path' in 2.1.29.
> 
> And checking the earlier code from the now defunct CVS repository on 
> sourceforge (circa release 1.0 time frame):
> 
> index.php,v 1.29 2004/01/13 06:39:29:
> 
>    10 include ("./includes/error_report.inc.php") ;
>    11 include ("./includes/global_vars.inc.php") ;
>    12 include ("./includes/config.inc.php");
> 
> cart.php,v 1.21 2004/04/06 08:11:03:
> 
>    10 $base_path=".";
>    11 $base_auth = "";
>    12 $base_title = "\$msg[396]";
>    13 require_once ("$base_path/includes/init.inc.php");
>    14
>    15 // modules propres à cart.php ou à ses sous-modules
>    16 include("$include_path/cart.inc.php");
> 
> init.inc.php,v 1.14 2004/03/02 09:12:56:
> 
>    35 include ("$base_path/includes/error_report.inc.php") ;
>    36 include ("$base_path/includes/global_vars.inc.php") ;
>    37 require("$base_path/includes/config.inc.php");
>    38
>    39 // prevents direct script access
>    40 if(preg_match('/init\.inc\.php/', $REQUEST_URI)) {
>    41     include('forbidden.inc.php'); forbidden();
>    42     }
>    43
>    44 $include_path      = $base_path."/".$include_path;
>    45 $class_path        = $base_path."/".$class_path;
> 
> config.inc.php,v 1.28 2003/12/22 13:52:12:
> 
>   134 $include_path      = 'includes';               // includes
>   135 $class_path        = 'classes';                // classes
> 
> So, that should prevent attacks via include_path or class_path.
> 
> I've written to the vendor for confirmation.
> 
> Stuart
> 
>

More information about the VIM mailing list