[VIM] RSSMini Exploit -- Probably Not
Steven M. Christey
coley at linus.mitre.org
Thu Feb 15 17:23:42 EST 2007
On Thu, 15 Feb 2007, George A. Theall wrote:
>
> include("config.php"); ^M
> ...
> <div id="ad"><?php include("$url/ads.php"); ?></div>^M
>
> There's no config.php file by default in the folder directory so this
> will work if register_globals is enabled and someone just unzips a copy
> of the software under their document directory.
Oh. My. God.
I can't believe this... the application doesn't exit on a failed include?
I just tested this and it's true, but... wow. Oh wait, I see - require()
will trigger a fatal exit. OK. I didn't know about this feature of PHP.
But - there's a whole bunch of vulnerabilities waiting to be found that
rely on this behavior, 'cause I bet a bunch of PHP programmers don't
really understand this. Is it protected against traversal and RFI, but
uses user input? Fine, just use an invalid value, trigger a failed
include, and related variables become yours.
Ya learn something new every day.
- Steve
More information about the VIM
mailing list