[VIM] Jetbox CMS file include - CVE dispute
Steven M. Christey
coley at linus.mitre.org
Tue Aug 29 19:57:37 EDT 2006
I have to put up a retraction - the issue looks real.
Bill said:
> > Line 423: <?php include
> $relative_script_path.'/libs/htmlheader.php' ?>
> > Line 426: <?php include $relative_script_path.'/libs/htmlmetas.php'
> ?>
>
> However, these lines are included within the following function,
> declared
> at the top of the file: (Lines 18-21)
FYI, someone else disputed this, too.
I don't know how I wound up down this rabbit hole after Bill analyzed it,
but I think we missed something.
1) if there's a "<?php" in the function definition, then that means there
are nested <?php tags - not sure if that's even allowed. My PHP 4.x gives
a parse error.
2) So - maybe, despite appearances, this is being done *outside* the
function definition, in which case the <?php> is executed as soon as it's
parsed, which means there's a vuln.
And in fact, we have this:
else {
?>
<?php include $relative_script_path.'/libs/htmlheader.php' ?>
So, I think that's what's going on.
3) Note - the path to the search_function.php suggested a third party
product, phpdig. I downloaded the source code for phpdig, and 1.8.8
has the "search_function.php" file, and the most recent version renamed
this to "search_functions.php".
- Steve
More information about the VIM
mailing list