[VIM] Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector
George A. Theall
theall at tenablesecurity.com
Fri Oct 19 16:17:06 UTC 2007
Has anyone had a chance to look at Milw0rm 4510? I have two comments
about it...
First, it requires that register_globals be enabled so that
drupal_unset_globals() in includes/bootstrap.inc tries to unset
variables. But Drupal going back at least to version 4.6.3 comes with a
.htaccess file intended to disable register_globals, which would seem to
significantly reduce the number of possibly installs that could be
attacked successfully.
Second, I'm not clear where the hash value used in the PoC comes from. I
implemented the code from Esser's advisory in a little hash value
calculator, and running that for the '_menu' parameter tells me to use
'-800928983' for PHP 4.x or '-312030023' for PHP 5.x. And indeed
substituting the first value works just dandy for me on my test system.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list