[VIM] Mostly Bogus: ScarAdControl 1.1 Remote/Local File Inclusion Vulnerabilities
George A. Theall
theall at tenablesecurity.com
Mon Apr 9 12:16:59 UTC 2007
Milw0rm 3682 describes two flaws, neither of which looks valid to me, at
least as BeyazKurt describes them:
- scaradcontrol.php has this near the start:
### du musst die '//' davor entfernen !!
// $sac_config_dir = "/www/user234/cats/scaradcontrol/";
If my German's any good, this says you have to uncomment the definition
of $sac_config_dir (and presumably define it according to your site's
layout). Between that and the include(), there's no chance for an
attacker to override the definition and hence gain control of the
variable. So the only way the flaw is valid is if someone just unzips
the distribution file in their document root and doesn't bother doing an
install.
- admin/index.php has this at lines 133 - 143:
} elseif(md5($sac_pass)==$pass && md5($sac_user)==$user){
if ($site=="code") {
@code_box($id,$cat);
} else {
if(file_exists("$site.php")){
include("$site.php");
So ok, the flaw does exist but you can't exploit it unless you have
credentials.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list