[VIM] Small Axe 0.3.1 (linkbar.php cfile) Remote File Inclusion Vulnerability

George A. Theall theall at tenablesecurity.com
Fri Jan 18 16:28:26 UTC 2008


Milw0rm 4937 / Bugtraq 27345 seems bogus to me, but I can't be sure  
because the distribution file for 0.3.1 referenced in the advisory is  
incomplete. At the start of the affected file we have:

   include_once("inc/config.inc.php");
   include_once("inc/coreFX.inc.php");
   include_once($cfile);

inc/config.inc.php has this at the bottom:

   $cwd = getcwd();
   $publicPath     = str_replace(basename($_SERVER['PHP_SELF']),"", 
$_SERVER['REQUEST_URI']);
   $svrRoot                = str_replace(basename($_SERVER 
['PHP_SELF']),"",$cwd);
   $tmpldir                = $svrRoot."/tmpl/";
   $publicURL              = "http://".$HTTP_HOST.$publicPath;
   $cfile                  = $svrRoot."/inc/".$CONFIG['backend']."/ 
connect.inc.php";
   $ffile                  = $svrRoot."/inc/".$CONFIG['backend']."/ 
functions.inc.php";
   $GLOBALS['q']   = 0;
   $plugin_dir             = $svrRoot."/plugins/";
   foreach (glob($plugin_dir."*/setup.php") as $plugin_init) {
      @include($plugin_init);
   }

And coreFX.inc.php only has function definitions.

I didn't see a 'plugins' directory in the distribution file so it  
seems like '$cfile' isn't directly controllable by an attacker, at  
least unless there's an additional plugin installed that does  
something stupid.

I did try to set this up to see if plugins were somehow created  
dynamically, but the setup program in reality only supports a MySQL- 
based installation (at least in 0.3.1), fails miserably if you use a  
prefix in table names, and even then, doesn't create necessary config  
files.

George
-- 
theall at tenablesecurity.com





More information about the VIM mailing list