[VIM] Root cause of NPDS SQL injection is variable extraction/evaluation
Steven M. Christey
coley at mitre.org
Fri Mar 23 21:16:42 UTC 2007
Researcher: DarkFig
Ref: Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day
http://www.securityfocus.com/archive/1/archive/1/463176/100/0/threaded
Granted the layout isn't optimal, but he excerpts the relevant source
code for each step of the exploit - actually pretty cool.
Anyway, here's my rough analysis:
1) line 31 of print.php uses $DB variable in a query.
2) grab_globals.php shows a whole bunch of juicy extract() goodness
with EXTR_OVERWRITE, so we get to modify nearly-arbitrary variables
including whatever superglobal the relevant PHP version isn't
protecting. So, _FILES[DB][tmp_name] is overwritten in line 83.
3) Lines 133-134 in grab_globals.php do the dynamic variable
evaluation; looping through the values of _FILES[], we wind up
processing _FILES[DB], setting $$DB = _FILES[DB][tmp_name] .
4) I didn't investigate any further, but it wouldn't be surprising if
there were other attacks using the extract capability.
- Steve
More information about the VIM
mailing list