[VIM] Download Management for PHP-Fusion Multiple Local File Include Vulnerabilities
George A. Theall
theall at tenablesecurity.com
Tue Feb 5 15:55:23 UTC 2008
Has anyone looked at Bugtraq 27618 yet? I haven't seen the original
advisory, but going by what's in the BID, I'm not sure the issues are
valid, but my track record's been pretty poor lately so you probably
should do your own research. :-(
- infusion.php starts by checking a couple of things, one of which is
a define for "IN_FUSION". If that's not defined, it redirects to
"../../index.php" and exits before reaching any code involving the
supposedly-affected parameter.
- download_management_admin.php starts off by including PHP-Fusion's
maincore.php, and that has support for extracting GET / POST variables
if register_globals is disabled. But after that, maincore.php queries
its database and populates the 'settings' array, including
'settings[locale]', with the results. And I didn't find anywhere else
that an attacker could regain control of the array variable.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list