[VIM] MyPhotos includesdir file inclusion - CVE dispute

[Heinbockel, Bill]

Researcher - Root3r_H3ll (again)

BUGTRAQ:20060923 MyPhotos<= Remote File Include Vulnerability
http://www.securityfocus.com/archive/1/archive/1/446876/100/0/threaded

In MyPhotos 0.1.3b beta, index.php on line 28:
>>    include ("$includesdir/indextext.inc.php");
However on line 4:
>>    include ('globvars.inc.php');

If installed (per instructions) with the install.php script,
when configuring the "options" on lines 231-245:
>>    if(!$fp = fopen("./globvars.inc.php", "a"))
...
>>     $config_data = '$mydb = "'.$dbserver.'";'."\n".
>>     '$mydatabase = "'.$dbname.'";'."\n".
>>     '$myusername = "'.$dbuser.'";'."\n".
>>     '$mypassword = "'.$dbpass.'";'."\n\n".
>>     '$sitename = "'.$name.'";'."\n".
>>     '$langfile = "'.$language.'";'."\n".
>>     '$maindir = "'.$dir.'";'."\n".
>>     '$langdir = "'.lang.'";'."\n".
>>     '$includesdir = "'.user_includes.'";'."\n".
>>     '?>'."\n";
>>   fputs($fp, $config_data);
>>   fclose($fp);
prior to running this, the installation instructions state
to chmod globvars.inc.php to 666 and user_includes to 777.

Additionally, the "user_includes" value is not defined elsewhere
before being reference, but PHP assumes that you wanted the string
and the result is the string 
>>  $includesdir = "user_includes"; \
in the globvars.inc.php file.

NOTE: as the installation requires a database connection, I did not
verify that the entire installation was successful.


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615