[VIM] FlatNuke

Steven M. Christey coley at linus.mitre.org
Tue Oct 25 00:26:52 EDT 2005


> OSVDB 19114
> http://archives.neohapsis.com/archives/bugtraq/2005-08/0442.html
>
> usr variable XSS
>
> http://archives.neohapsis.com/archives/bugtraq/2005-10/0276.html
>
> user variable XSS
>
>
>
> Makes me wonder if one of them is a typo and this is the same issue..

My immediate guess is that it isn't.  I haven't used PHP myself, but I've
gleaned from lots of staring at URLs that:

 - modules.php is usually a dispatcher for lots of other functionality

 - "op" or "action" and similar parameters are usually dispatchers as well


In this case, the "usr" variable was in an "op=vis_reg"  and the "user"
variable is in an" op=profile", both accessible from an index.php.

Actually, I just confirmed this via source code inspection - there's a
vis_reg() with a $_GET['usr'] and a profile() with a $_GET['user'] etc.

Since I'm here, might as well confirm, by source inspection, the user
"file inclusion" issue (which doesn't appear to be an "include" issue per
se, but does involve dumping contents of a file into the resulting page).

from forum/index.php:

[874]function profile(){
...
[876]$user=$_GET['user'];
...
[891]$fp=file("users/$user.php");
...
[895]<img src=<?=str_replace("#","",$fp[7])?>>


** but ** the other two elements look like they're not full file reading:



function topic(){
...
$quale=$_GET['quale'];
...
$string=get_file("topics/$quale.xml");
$posts=get_xml_array("ff:post",$string);
...
$unsplitpost = $posts[$x];
...
$poster=get_xml_element("ff:poster",$unsplitpost);
...
$subj=get_xml_element("ff:subj",$unsplitpost);

etc.


function newtopic(){
...
        $quale=$_GET['quale'];
$string=get_file("topics/$quale.xml");
$subjtmp="Re: ".get_xml_element("ff:topic",$string);

topic() and newtopic()  seem to be just grabbing a single element out of a
well-formed input file; so it's a limited cross-user information leak at
best, it seems.  Not sure, though.


Also looked at the original post.  Confirmed (by source inspection only)
the vis_reg XSS.  The "mod=read"  and "news=DEVICE" issues - all of them -
seem to be related to file opening or file access errors underneath, i.e.
items (2) and (3) appear to be resultant from basic pathname manipulation
/ directory traversal in (4).


- Steve


More information about the VIM mailing list