[VIM] true: 2 distinct LMS RFI, one old, one new; and vague ACK
Steven M. Christey
coley at mitre.org
Thu Apr 26 23:24:18 UTC 2007
== RFI 1 ==
Researcher: InyeXion
Ref: BUGTRAQ lms 1.5.3 Remote File Inclusion
http://archives.neohapsis.com/archives/bugtraq/2007-04/0379.html
This is a 2-year-old version. I grabbed it:
http://www.lms.org.pl/download/1.5/lms-1.5.3+libs.tar.gz
and the first executable line is as stated:
include($_LIB_DIR.'/multipart_mime_email.php');
This line does not appear in later versions:
./lms-1.6.8/modules/rtmessageadd.php
./lms-1.6.9/modules/rtmessageadd.php
./lms-1.8.9/modules/rtmessageadd.php
== RFI 2 ==
Researcher: Kacper
Ref: http://www.milw0rm.com/exploits/3545
For version 1.8.9:
The first lines in welcome.php are:
require_once($_LIB_DIR.'/Sysinfo.class.php');
@include($_LIB_DIR.'/locale/'.$_language.'/fortunes.php');
the only line in userpanel.php is:
include($CONFIG['directories']['userpanel_dir']."/lib/LMS.setup.php");
== Vendor ACK of... something. ==
Vendor changelog is at http://www.lms.org.pl/changelog.php
ChangeLog,v 1.1115 2007/04/24 has:
version ? (????-??-??):
...
fixed some remote file inclusion vulnerabilities when
register_globals is enabled (alec)
But since the vulnerable 1.8.9 is the latest available version, it's
not provable that the vendor is talking about RFI 2, instead of some
other issue.
- Steve
More information about the VIM
mailing list