[VIM] Jetbox CMS file include - CVE dispute

Steven M. Christey coley at linus.mitre.org
Tue Aug 29 19:57:37 EDT 2006

I have to put up a retraction - the issue looks real.

Bill said:

> > Line 423:   <?php include
> $relative_script_path.'/libs/htmlheader.php' ?>
> > Line 426:   <?php include $relative_script_path.'/libs/htmlmetas.php'
> ?>
> However, these lines are included within the following function,
> declared
> at the top of the file: (Lines 18-21)

FYI, someone else disputed this, too.

I don't know how I wound up down this rabbit hole after Bill analyzed it,
but I think we missed something.

1) if there's a "<?php" in the function definition, then that means there
are nested <?php tags - not sure if that's even allowed.  My PHP 4.x gives
a parse error.

2) So - maybe, despite appearances, this is being done *outside* the
function definition, in which case the <?php> is executed as soon as it's
parsed, which means there's a vuln.

  And in fact, we have this:

    else {
    <?php include $relative_script_path.'/libs/htmlheader.php' ?>

So, I think that's what's going on.

3) Note - the path to the search_function.php suggested a third party
   product, phpdig.  I downloaded the source code for phpdig, and 1.8.8
   has the "search_function.php" file, and the most recent version renamed
   this to "search_functions.php".

- Steve

More information about the VIM mailing list