[VIM] Verified: arabhost function.php RFI

Heinbockel, Bill heinbockel at mitre.org
Tue Feb 27 11:29:17 EST 2007


Interesting... in the Google Code cache there is no
protaction.php. In includes/, I see
aHostTemplete.php
files/Host.php
files/domin.php
files/rellese.php
files/send.php
files/server.php

Since the original archive is no longer available, this
could be a case of the file being missing from Google cache
or this is a different version than the one you examined.


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615 

>-----Original Message-----
>From: vim-bounces at attrition.org 
>[mailto:vim-bounces at attrition.org] On Behalf Of str0ke
>Sent: Tuesday, 27 February, 2007 10:20
>To: Vulnerability Information Managers
>Subject: Re: [VIM] Verified: arabhost function.php RFI
>
>Bill "That's False Too!" Heinbockel,
>
>I umm tested this awhile back and the file did exist 
>includes/protaction.php. :(
>
>In the email back to the author I stated.
>
>includes/protaction.php contains $adminfloder :(
>
>Very strange.
>
>/str0ke
>
>On 2/27/07, Heinbockel, Bill <heinbockel at mitre.org> wrote:
>> BUGTRAQ:20070222 Hasadya Raed
>> 
>http://www.securityfocus.com/archive/1/archive/1/460933/100/0/threaded
>>
>> > B.File :
>> > function.php
>> >
>> > V.Code :
>> > include($adminfloder");
>> >
>> > Expl :
>> http://www.victim.com/path/function.php?adminfolder=[Shell-Attack]
>>
>>
>> Since the script download at
>> http://delmaa.com/upfile/users/arabHost.zip
>> is currently 404. I'll refer to the Google Code cache of
>> arabHost/function.php:
>>
>> 
>http://www.google.com/codesearch?hl=en&q=show:y_09L32ZX4g:c-H4PKvziZc:
C
>> 
>SW92BIlIMw&sa=N&ct=rd&cs_p=http://delmaa.com/upfile/users/arabHost.zip
&
>> cs_f=arabHost/function.php
>>
>> Code (lines 1-4):
>> > <?php
>> >
>> > include("includes/protaction.php");
>> > include("$adminfloder/config.php");
>>
>> And the package contains no "includes/protaction.php" file (and
>> the ReadMe.html is in Arabic), so this issue does appear valid.
>>
>>
>> Sorry jericho, no disputes this time.
>>
>> Bill "That's False Too!" Heinbockel
>> Infosec Engineer
>> The MITRE Corporation
>> 202 Burlington Rd. MS S145
>> Bedford, MA 01730
>> heinbockel at mitre.org
>> 781-271-2615
>>
>


More information about the VIM mailing list