[VIM] clearBudget v0.9.8 Remote File Include Vulnerability

rkeith rkeith at securityfocus.com
Wed Aug 11 10:25:54 CDT 2010 

Hey,

Definitely bogus, we will be retiring the BID shortly.

-Rob

George A. Theall wrote:
> Looks like the same sort of problem with Exploit DB 14614 / Bugtraq
> 42351 -- the supposedly affected file defines a class, and there's no
> way for an attacker to control the '$actionPath' variable:
> 
>   <?php
>   /**
>   * File holding the controller class
>   *
>   * @author       Fabrice Douteaud <admin at clearbudget.net>
>   * @package      framework
>   * @access       public
>   */
> 
>   /***********************************************************************
> 
>     Copyright (C) 2008  Fabrice Douteaud (admin at clearbudget.net)
> 
>       This file is part of ClearBudget.
> 
>       ClearBudget is free software: you can redistribute it and/or modify
>       it under the terms of the GNU General Public License as published by
>       the Free Software Foundation, either version 3 of the License, or
>       (at your option) any later version.
> 
> 
>       ClearBudget is distributed in the hope that it will be useful,
>       but WITHOUT ANY WARRANTY; without even the implied warranty of
>       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>       GNU General Public License for more details.
> 
>       You should have received a copy of the GNU General Public License
>       along with ClearBudget.  If not, see <http://www.gnu.org/licenses/>.
> 
>   ************************************************************************/
> 
>   /**
>   * Class managing the flow of event from a given request. It controls
> the actions
>   * that are requested and build the output message.
>   *
>   * this is the applicaton controller.
>   *
>   * @author       Fabrice Douteaud <admin at clearbudget.net>
>   * @package      framework
>   * @access       public
>   */
>   class class_controller {
>   ...
>     public function doAction() {
>   ...
>         $actionPath =
> 'actions'.DIRECTORY_SEPARATOR.$context->action.'.php';
>         // if file does not exist, we simply continue
>         if(file_exists($actionPath)) {
>           // includes the files (i.e.: execute it)
>           include($actionPath);
>   ...
>       }
>   ...
>     public function includeAction($action) {
>   ...
>       $actionPath = 'actions'.DIRECTORY_SEPARATOR.$action.'.php';
>       // if file does not exist, we simply continue
>       if(file_exists($actionPath)) {
>         // includes the files (i.e.: execute it)
>         include($actionPath);
>   ...
>       }
>   ...
>     }
>   ?>
> 
> 
> George

-- 
Rob Keith
Symantec

More information about the VIM mailing list