[VIM] probably true: SimpGB RFI, likely dynamic variable evaluation

Steven M. Christey coley at mitre.org
Thu May 24 18:01:01 UTC 2007


Researcher: the_Edit0r
Ref: BUGTRAQ SimpGB v1.46.0 Remote File Include Exploit
     http://www.boesch-it.de/progsys/download.php?filenr=9&lang=en


First glance at guestbook.php shows:

   require_once('./config.php');

and config.php (distributed as config.dist.php) has:

   $path_simpgb = getenv("DOCUMENT_ROOT")."/simpgb";

but then, back in guestbook.php, we have:

   require($path_simpgb.'/includes/global.inc');

whose name, history has demonstrated, suggests the possibility of
dynamic variable evaluation.

Sure enough, includes/global.inc has:

   while( list($var, $param) = @each($_GET) )
   {
	if(!isset($$var))
	{
		if((substr($var,0,4)!="url_") && (substr($var,0,5)!="path_"))
		{
			$$var=$_GET[$var];
			if(!get_magic_quotes_gpc())
				$$var=addslashes($$var);
		}

$$var, total awesomeness.

But wait!  This is in a nested include.  Where does the RFI come in,
utilizing $path_simpgb?

Ah, at the end of global.inc, we have:

  include($path_simpgb.'/includes/timezones.inc');


I've only done source analysis though, and this is nested deep enough
that I'm not 100% confident in my conclusions.

- Steve


More information about the VIM mailing list