[VIM] ModuleBased CMS file include - CVE dispute

Steven M. Christey coley at linus.mitre.org
Fri Sep 1 18:45:01 EDT 2006


> In PHP it is not possible to redeclare the _SERVER global array or the
> _SERVER[DOCUMENT_ROOT] index. Hence, there is no possible way for an
> attacker to modify any of the variables inside the claimed include
> statements.

This isn't entirely the case, since in my PHP 4.3.8, if the program runs
an "extract", then even $_SERVER can be modified.  I think Stefan Esser
talks about this phenomenon in his global variable overwrite white paper
but forget whether later PHP versions address this.

The original Bugtraq post still looks wrong, because the exploits are
direct requests and there's no extract or other variable modification code
that happens before the $_SERVER[DOCUMENT_ROOT] is referenced.

But in the general case, we can't simply assume that $_SERVER is not
modifiable.

Below is some example vulnerable code.  If you call:

   program.php?_SERVER[DOCUMENT_ROOT]=aaa

then you'll see that BEFORE is still set to a fixed document root, but the
extract overwrites it - at least in PHP 4.3.8.


- Steve


<?php
  echo "BEFORE: ";
  echo "$_SERVER[DOCUMENT_ROOT]";
  echo "<p>\n";
  extract($_GET);
  echo "AFTER: ";
  echo "$_SERVER[DOCUMENT_ROOT]";
?>



More information about the VIM mailing list