[VIM] false: Tritanium Bulletin Board 2 version #2005-05-02-18-17-06 Remote File Inclusion Exploit

str0ke str0ke at milw0rm.com
Thu Feb 8 12:13:42 EST 2007


Piece of the exploit code:
=>$Path.'misc/update_tbb1/update_tbb1.php?LANGUAGE_PATH='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or
die "\nCould Not connect\n";

First 3 lines of code.

> require_once('startup.php');

> $LANGUAGE_PATH = 'languages/'.$CONFIG['standard_language'];
> include($LANGUAGE_PATH.'/lng_main.php');

Seems there isn't a startup.php file in the update_tbb1 directory,
which in newer versions of php would just die right after the first
line.

If you get passed the require line you could take over
$CONFIG['standard_language'].  Even local inclusion isn't possible
without a languages folder existing in the current directory.  So
pretty much the script isn't vulnerable to a remote/local inclusion
attack.

/str0ke


More information about the VIM mailing list