[VIM] 60cycleCMS <= 2.5.0 Remote File Include Exploit
Steven M. Christey
coley at linus.mitre.org
Tue Dec 22 20:41:11 UTC 2009
On Tue, 22 Dec 2009, George A. Theall wrote:
> With a bit of encouragement from Steve...
oh, great, blame me ;-)
> Exploit DB's #10551 looks bogus to me. PoC is:
>
> [60cycleCMS_path]/common/sqlConnect.php?DOCUMENT_ROOT=[SHELL
> DIRECTORY]/something
So I wish I had the direct reference at hand, but I'm pretty sure that
older PHPs allowed overwriting of $_SERVER variables. How old, I'm not
sure... I think Stefan Esser did some writeup on this. But now I've dug
up a 2006 post to VIM where I said the same thing and apparently never
followed up...
There's always the risk of somebody implementing their own version of
register_globals and poisoning $_SERVER that way, but the code snippet
doesn't give enough context.
Ah yes, Stefan saves the day on this last angle:
http://www.suspekt.org/2009/02/06/some-facts-about-the-phplist-vulnerability-and-the-phpbbcom-hack/
> Code snippet from 2.5.0, which is supposedly affected:
>
> // include your sql info file here
> $root = $_SERVER['DOCUMENT_ROOT'];
> require "$root/../config.php";
Yeah, I can see how this would raise questions. Code inspection would be
needed.
In CVE, we've been somewhat agnostic on this general point because of my
vague recollection that older PHP's allowed $_SERVER to be directly
modified.
- Steve
More information about the VIM
mailing list