[VIM] Warcraft III Replay Parser - accuracy problems

Steven M. Christey coley at mitre.org
Sun Apr 2 16:16:22 EDT 2006


  BUGTRAQ:20060331 Warcraft III Replay Parser Script Remote Command Exucetion Vulnerability And Cross-Site Scripting Attacking

The researcher, botan, provides example URLs:

  http://www.site.com/[path]/index.php?page=evilcode.txt?&cmd=uname -a

  http://www.site.com/[path]/index.php?page=evilcode.txt?&cmd=uname -a

FYI, the report is for 1.8c, but 2.2 is the most recent version, and
it has been available since 2005.


1) grep of source for versions 1.0, 1.8c, and 2.2 shows no use of
   "page" anywhere.

2) Default distribution of 1.8c doesn't even include an index.php.  In
   1.8c and 2.2, vendor provides an "example.php" that appears to be
   used by some live sites; maybe some live sites rename example.php
   to index.php.

3) The id parameter ($id variable) in example.php (1.8c) does appear
   to have XSS:

      <div id="top">'.$id.' details</div>

   as well as here:

        if ($id) {
          echo('<br /><br />
          <a class="function" href="'.$w3g_path.$id.'.w3g">&#187; download</a>('.round(filesize($w3g_path.$id.'.w3g')/1024).' KB)');

   And also appears to be subject to local fopen:

      if (file_exists($txt_path.$id.'.txt')) {
        $txt_file = fopen($txt_path.$id.'.txt', 'r');

   ... although it assumes serialized data so there's a possibility
   that this is not cleanly exploitable for directory traversal.

4) Researcher's example  "code execution" URL is:

  http://www.site.com/[path]/index.php?page=evilcode.txt?&cmd=uname -a

  Besides the mystery of the "page" parameter, there are no
  attacker-controllable include or require statements in any of the
  examined versions.

  Some fopen statements are used.  The "new replay" statements use the
  replay function in the replay class in w3g-julas.php, which gets a
  filename argument and does an fopen.

But at this point, I've spent too much time on this analysis so have
to back off in figuring out what's really going on.

- Steve

More information about the VIM mailing list