[VIM] Jetbox CMS file include - CVE dispute

Heinbockel, Bill heinbockel at mitre.org
Wed Aug 30 08:50:55 EDT 2006

>-----Original Message-----
>From: vim-bounces at attrition.org 
>[mailto:vim-bounces at attrition.org] On Behalf Of Stuart Moore
>Sent: Mittwoch, 30. August 2006 01:43
>To: Vulnerability Information Managers
>Subject: Re: [VIM] Jetbox CMS file include - CVE dispute
>I'm confused.  The PHP tags are awkward, but not nested.  It 
>seems that 
>all of the include statements are fully within the phpdigSearch() 
>function, but the function is not actually called within that 
>file, and 
>so it cannot be exploited.  The function *is* called from search.php 
>(and that is the only calling script), but the $relative_script_path 
>parameter is defined right before the call.

Yes, this is what I saw... PHP will accept some seemingly weird stuff.
In this case the code was similar to:

<?php function foo($relative_script_path='.') { ?>
... some HTML and php ...
<?php include $relative_script_path/file.php ?>
... some more HTML ...
<?php }  // <-- end of function foo() ?>

I think that Steve missed this fact, especially not evident since 
the "function" is 400+ lines long and the include is burried in the 
center of it all.

BTW, this is CVE-2006-4422.

More information about the VIM mailing list