[VIM] Small Axe 0.3.1 (linkbar.php cfile) Remote File Inclusion Vulnerability
George A. Theall
theall at tenablesecurity.com
Fri Jan 18 16:28:26 UTC 2008
Milw0rm 4937 / Bugtraq 27345 seems bogus to me, but I can't be sure
because the distribution file for 0.3.1 referenced in the advisory is
incomplete. At the start of the affected file we have:
include_once("inc/config.inc.php");
include_once("inc/coreFX.inc.php");
include_once($cfile);
inc/config.inc.php has this at the bottom:
$cwd = getcwd();
$publicPath = str_replace(basename($_SERVER['PHP_SELF']),"",
$_SERVER['REQUEST_URI']);
$svrRoot = str_replace(basename($_SERVER
['PHP_SELF']),"",$cwd);
$tmpldir = $svrRoot."/tmpl/";
$publicURL = "http://".$HTTP_HOST.$publicPath;
$cfile = $svrRoot."/inc/".$CONFIG['backend']."/
connect.inc.php";
$ffile = $svrRoot."/inc/".$CONFIG['backend']."/
functions.inc.php";
$GLOBALS['q'] = 0;
$plugin_dir = $svrRoot."/plugins/";
foreach (glob($plugin_dir."*/setup.php") as $plugin_init) {
@include($plugin_init);
}
And coreFX.inc.php only has function definitions.
I didn't see a 'plugins' directory in the distribution file so it
seems like '$cfile' isn't directly controllable by an attacker, at
least unless there's an additional plugin installed that does
something stupid.
I did try to set this up to see if plugins were somehow created
dynamically, but the setup program in reality only supports a MySQL-
based installation (at least in 0.3.1), fails miserably if you use a
prefix in table names, and even then, doesn't create necessary config
files.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list