[VIM] Small Axe 0.3.1 (linkbar.php cfile) Remote File Inclusion Vulnerability
str0ke
str0ke at milw0rm.com
Fri Jan 18 16:41:28 UTC 2008
George,
There isn't an inc directory in the inc directory.
linkbar.php
########
include_once("inc/config.in.php"); << no file found
include_once("inc/coreFX.inc.php"); << no file found
include_once($cfile);
Looks good to me.
/str0ke
George A. Theall wrote:
> Milw0rm 4937 / Bugtraq 27345 seems bogus to me, but I can't be sure
> because the distribution file for 0.3.1 referenced in the advisory is
> incomplete. At the start of the affected file we have:
>
> include_once("inc/config.inc.php");
> include_once("inc/coreFX.inc.php");
> include_once($cfile);
>
> inc/config.inc.php has this at the bottom:
>
> $cwd = getcwd();
> $publicPath =
> str_replace(basename($_SERVER['PHP_SELF']),"",$_SERVER['REQUEST_URI']);
> $svrRoot =
> str_replace(basename($_SERVER['PHP_SELF']),"",$cwd);
> $tmpldir = $svrRoot."/tmpl/";
> $publicURL = "http://".$HTTP_HOST.$publicPath;
> $cfile =
> $svrRoot."/inc/".$CONFIG['backend']."/connect.inc.php";
> $ffile =
> $svrRoot."/inc/".$CONFIG['backend']."/functions.inc.php";
> $GLOBALS['q'] = 0;
> $plugin_dir = $svrRoot."/plugins/";
> foreach (glob($plugin_dir."*/setup.php") as $plugin_init) {
> @include($plugin_init);
> }
>
> And coreFX.inc.php only has function definitions.
>
> I didn't see a 'plugins' directory in the distribution file so it
> seems like '$cfile' isn't directly controllable by an attacker, at
> least unless there's an additional plugin installed that does
> something stupid.
>
> I did try to set this up to see if plugins were somehow created
> dynamically, but the setup program in reality only supports a
> MySQL-based installation (at least in 0.3.1), fails miserably if you
> use a prefix in table names, and even then, doesn't create necessary
> config files.
>
> George
> --theall at tenablesecurity.com
>
>
>
>
More information about the VIM
mailing list