[VIM] Kietu 3.2 - Local file inclusion

Heinbockel, Bill heinbockel at mitre.org
Tue Sep 26 13:14:02 EDT 2006

As posted on BUGTRAQ on 20060923 "Local File Inclusion : Kietu"

The researcher states that there is a local file inclusion
(directory traversal) with the url_hit parameter in hit.php. The issue
is supposedly on line 2 of hit.php, which should read:
>>   include_once $url_hit.'class/kdetect.class.php';

No version information was provided.
I downloaded the latest release, 3.2, from the vendor's website and
did not discover the previous line in use. However, in 3.2, the
url_hit parameter in hit.php is still vulnerable.

line 40:
>> if (isset($url_hit)&$url_hit!='') {$kietu['url_hit']=$url_hit;} else

lines 59-66:
>> if (file_exists($kietu['url_hit'].'config.php'))
>> {
>>   require ($kietu['url_hit'].'config.php');
>> }
>> if (file_exists($kietu['url_hit'].'define/moteur.php'))
>> {
>>   require ($kietu['url_hit'].'define/moteur.php');
>> }

Since the require calls are enclosed in file_exists conditionals, files
can only be included locally (via traversal or absolute paths) or 
remotely (via FTP, FTPS URIs).

William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org

More information about the VIM mailing list