[VIM] [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability
Ferdy Riphagen
f.riphagen at nsec.nl
Thu Mar 15 20:24:12 UTC 2007
Did I missed that...%&#)
> On 03/15/07 15:44, Ferdy Riphagen wrote:
>
>> html/content.php contains:
>> <?
>> $c_category = !isset($c_category)? "":$c_category;
>> include "./basepath.php";
>> $c_module = "content";
>> include "$c_basepath/base/groupit.start.inc";
> ..
>> After normal install basepath.php has (my case)
>> <?
>> $c_basepath = "/chroot/apache2/www/test/groupit/groupit";
>> $c_block_cache = 1;
>> ?>
>>
>> I couldn't find load.inc.php, userprofile.php, dispatch.php (or I
>> need some sleep)
>
> I haven't set it up, but looking at the code in
> groupit/base/groupit.start.inc I see it registers any global variables
> passed in if register_globals is disabled or magic_quotes_gpc is
> enabled; eg,
>
> if (!get_cfg_var("register_globals") || (get_magic_quotes_gpc()))
> {
> /* Register our own global variables when register_globals in
> php.ini is disabled. */
> reset($HTTP_ENV_VARS);
> reset($HTTP_GET_VARS);
> reset($HTTP_POST_VARS);
> reset($HTTP_COOKIE_VARS);
> reset($HTTP_SERVER_VARS);
> while (list ($key, $val) = each ($HTTP_POST_FILES))
> $GLOBALS[$key]=$val;
> while (list ($key, $val) = each ($HTTP_ENV_VARS))
> $GLOBALS[$key]=$val;
> while (list ($key, $val) = each ($HTTP_GET_VARS))
> $GLOBALS[$key]=stripslashes($val);
> while (list ($key, $val) = each ($HTTP_POST_VARS))
> $GLOBALS[$key]=stripslashes($val);
> while (list ($key, $val) = each ($HTTP_COOKIE_VARS))
> $GLOBALS[$key]=$val;
> while (list ($key, $val) = each ($HTTP_SERVER_VARS))
> $GLOBALS[$key]=$val;
>
> So while I don't know about the missing files, it does seem that an
> attacker may be able to overwrite $c_basepath, which will then be used
> further down in this file to include at least two files.
>
>
> George
More information about the VIM
mailing list