[VIM] RSSMini Exploit -- Probably Not
George A. Theall
theall at tenablesecurity.com
Thu Feb 15 15:40:31 EST 2007
This concerns <http://www.milw0rm.com/exploits/3316>:
I just grabbed the source for rssminifolder
(http://rssmini.com/rssminifolder.zip). folder/index.php looks like this:
include("config.php"); ^M
...
<div id="ad"><?php include("$url/ads.php"); ?></div>^M
There's no config.php file by default in the folder directory so this
will work if register_globals is enabled and someone just unzips a copy
of the software under their document directory. However, to actually
install it, you're supposed to copy the config.php file from folder's
parent directory after editing it, and that has this line:
$url = "http://rssmini.com/demo5";^M
I see nowhere in either file where $url can be overwritten by
user-supplied input.
The other files mentioned in the milw0rm posting behave the same as
index.php, at least as far as the exploit is concerned.
So in sum, this only looks like a problem if someone hasn't installed
the software and has register_globals enabled.
P.S: Hope I got it right this time, str0ke. :-)
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list