[VIM] [uncertain] (mostly) phpFaber TopSitespath traversal
Steven M. Christey
coley at mitre.org
Thu Apr 19 08:17:08 UTC 2007
Who: Dr.RoVeR
Where: BUGTRAQ:20070411 nEw Bug :D
URL:http://www.securityfocus.com/archive/1/archive/1/465339/100/100/threaded
The researcher quotes a couple lines from index.php, but this is a red
herring; these lines only set "page" to a static value when the
provided parameter is missing or invalid.
template.php (reachable through the "template" page in
admin/index.php) in the provided download has:
if ($_GET['modify']) $_GET['modify'] = basename($_GET['modify']);
but then later we have:
elseif($files[$_GET['modify']]){
if(!$files[$_GET['modify']]) $err_msg = "Please select file";
else{
$fn = PATH_SITE.$files[$_GET['modify']];
$content = PrepareTplData(cpReadFile($fn));
}
}
and $fn is later used in an include.
HOWEVER... on first glance, it seems like $files might be a whitelist,
and $files is not specified in the attack url, so this conditional
might not be satisfied.
But given that the researcher quoted the entirely wrong section of
code, this doesn't look like a grep-and-gripe situation, so maybe I'm
missing something. extra.php looks like it might have something:
$fn = PATH_SITE.$path.$_GET['modify'];
$content = cpReadFile($fn);
but I don't see this being directly included by template.php.
So, I'm a little mixed here.
- Steve
More information about the VIM
mailing list