[VIM] Likely vendor fix for Faq Administrator 2.1b

Steven M. Christey coley at mitre.org
Tue Oct 31 17:16:24 EST 2006



Faq Admninistrator 3.0 was apparently released today, at the same URL
as mentioned in the milw0rm page.  Many files are dated Oct 31.

The "update.txt" file says:

  This is a security patch release!


  A bug has been found that may allow code to be ran on your system.


  1) DELETE:


Using the powerful technique of URL guessing, I was able to download
the older 2.1b version.  faq_reply.php has this code:

  include ("$email");

grep showed that this was the only place where a variable was used in
an include, require, or open statement.

Given the date and the solution, I think this will be treated as
sufficient acknowledgement by CVE.

But, now there's a question of the other files that got deleted.
Based on *casual* inspection, it appears that the other files were
merged into two patch files.  These deleted files only contained 6 to
30 lines each.  It's not clear whether this combination was defensive
or not, although there did seem to be some possibility of variable
modification, although some files such as blank.php didn't have any
code at all.  I didn't look too closely.

- Steve

More information about the VIM mailing list