[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure

George A. Theall theall at tenablesecurity.com
Thu Apr 26 00:14:59 UTC 2007


Someone help me out please... Milw0rm 3800 / Bugtraq 23643 are for a 
flaw that looks like a directory traversal; ie,

 
Exploit:[Path_ext]/examples/layout/feed-proxy.php?feed=../../../../../../etc/passwd

Yet when I look at the code from either version 1.0 alpha 1 (from 
<http://yui-ext.com/deploy/ext-1.0-alpha1.zip>), which is supposedly 
affected, or 1.0 (from <http://extjs.com/deploy/ext-1.0.zip>), the 
latest version, the affected file has the following code:

   $feed = $_REQUEST['feed'];
   if($feed != '' && strpos($feed, 'http') === 0){
           header('Content-Type: text/xml');
           readfile($feed);
           return;
   }

Now doesn't the strpos() along with the "===" test mean that the feed 
parameter must start with "http"??? So did Alkomandoz Hacker bother to 
test his/her proof of concept???

Now I suppose if the remote has allow_url_fopen enabled, you might be 
able to abuse this to try to hide yourself from attacks against 
third-party sites, but that's a separate issue.

George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list