[VIM] [ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability
George A. Theall
theall at tenablesecurity.com
Tue Dec 22 20:04:30 UTC 2009
A bit of clarification about the advisory ISecAuditors made in their
advisory about PHP-Calendar, as covered by CVE-2009-3702...
The ISecAuditors advisory includes a code snippet from update08.php as
distributed with version 1.1:
36 } elseif(!empty($_GET['configfile'])) {
37 if(file_exists($_GET['configfile'])) {
38 require_once($_GET['configfile']);
Looks pretty bad, doesn't it? Now look at an expanded code snippet
from that same file:
$phpc_root_path = './';
require_once($phpc_root_path . "includes/calendar.php");
require_once('adodb/adodb.inc.php');
$have_config = false;
if(file_exists($phpc_root_path . 'config.php')) {
require_once($phpc_root_path . 'config.php');
$have_config = true;
} elseif(file_exists($phpc_root_path . 'config.inc.php')) {
require_once($phpc_root_path . 'config.inc.php');
$have_config = true;
} elseif(!empty($_GET['configfile'])) {
if(file_exists($_GET['configfile'])) {
require_once($_GET['configfile']);
$have_config = true;
Now you can see you only reach the vulnerable code if two conditions
are unmet, each of which checks for a config file, presumably from an
earlier install of some version or another. In other words, the
vulnerability is only exploitable if the software has not been already
installed or the installation was broken by having its config file(s)
removed.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list