[VIM] shared code incolving pcltar.lib.php/g_pcltar_lib_dir RFI

Steven M. Christey coley at mitre.org
Mon May 14 22:13:43 UTC 2007

Various disclosures for separate products have involved RFI in a file
named "pcltar.lib.php" (or pcltar.php) using $g_pcltar_lib_dir.  CVE
analysis has shown that this stems from the Tar module 1.3 for Vincent
Blavet PhpConcept Library, called PclTar.  The current version (dated
2003), 1.3.1, also has the problem.

Note: pcltrace.lib.php doesn't appear to be affected, as claimed for
the CJG EXPLORER disclosure.

Affected software is at least:

  (1) Joomla! 1.5.0 Beta

  (2) N/X Web Content Management System (WCMS) 4.5,


and probably (4) MiraksGalerie 2.62, whose disclosure had other
distinct vectors that seemed unrelated to PclTar (CVE-2006-2922).

I'm MERGING all these into CVE-2007-2199, see below.

You can get the original module, 1.3.1, here:


And lib/pcltar.lib.php3 in the official distribution says:

  // PhpConcept Library - Tar Module 1.3.1
  // ----- Configuration variable
  // Theses values may be changed by the user of PclTar library
  if (!isset($g_pcltar_lib_dir))
    $g_pcltar_lib_dir = "lib";

  if (!defined("PCLERROR_LIB"))
  if (!defined("PCLTRACE_LIB"))

NOTE: the readme.txt for this module makes it clear that
g_pcltar_lib_dir needs to be set, but this is more difficult to
evaluate when other software uses this module.

In the CJG EXPLORER disclosure (milw0rm 3915), the researcher claims:

  File : /pcltrace.lib.php


1) There is NO include() call in pcltrace.lib.php in the official
   distribution for 1.3.1, neither is it in 1.0.

2) Neither is there such a call in GJG EXPLORER.

So, I'd say that CVE disputes the pcltrace.lib.php claim but verifies
the pcltar.lib.php claim.

- Steve

More information about the VIM mailing list