[VIM] phpGraphy
rkeith
rkeith at securityfocus.com
Thu Jun 10 10:54:11 CDT 2010
Thanks again George.
This BID has been retired.
Cheers,
Rob
George A. Theall wrote:
> Bugtraq 40506 covers a remote file include vulnerability in phpGraphy
> version 0.9.13b. [I believe Exploit DB 12837 covered it as well but that
> no longer exists now.] The BID shows the following PoC:
>
>
> http://www.example.com/phpgraphy-0.9.13b/base/misc/mysql_cleanup.php?include_path=[SHELLCODE]
>
>
> Looking at the source of the supposedly affected file in version
> 0.9.13b, though, you can see this is completely bogus:
>
> <html>
> <pre>
> <?
> ...
> // COMMENT OUT THE FOLLOWING LINE TO RUN THE SCRIPT //
> die("This is a protection to avoid others people to run this script,
> to run it, you need to edit the file and remove the line with this text");
>
> // Include path to change if you've moved the script from its original
> location
> $include_path="../";
>
> // You shouldn't need to edit anything below
>
> if (is_file($include_path."config.inc.php")) include_once
> $include_path."config.inc.php"; else die("Could not find config.inc.php,
> please modify include_path in the header section ");
> if (is_file($include_path."include/db_mysql.inc.php")) include_once
> $include_path."include/db_mysql.inc.php"; else die("Could not find
> db_mysql.inc.php, please modify the include_path in the header section");
>
> Even if an admin commented out the initial 'die()', '$include_path' is
> hardcoded, and, the first 'include_once()' call includes
> '$include_path/config.inc.php', which doesn't exist because the config
> file is actually stored in '../../conf' and is named 'config.ini.php' so
> the script will stop executing without ever trying to include a function.
>
> George
More information about the VIM
mailing list