Steven M. Christey coley at mitre.org
Wed Jun 14 02:45:48 EDT 2006

I just sent the following to Bugtraq.  Does anybody know of a provably
correct disclosure from SpC-x?  I've only recently noticed the name.

Some of the disclosures were so out there that I started to question
my own assumptions, like: "well, maybe if you have one statement that
sets a variable to a fixed value and the very next statement has an
allegedly vulnerable include statement that uses that variable, maybe
there's some weird OS-specific multiprocessor asynchronous threading
64-bit uncleared-register vulnerability related to some poorly
documented side effect in an API function's implementation deep in the
PHP interpreter that nobody's noticed but somehow appears in enough
real-world environments that a bunch of cut-and-paste kiddies are
hacking into live systems because fools like me are only looking at
source code and assuming there's no problem."

Yeah, Vegas is starting to sound pretty good right about now...


This post appears to have some errors.

What PHP version, environment, and operating system did you use to
test this?  Did you use a real web site, or did you just look at the
source code?

When a variable is used in a require or include statement, you must
make sure that the variable can be controlled by an attacker.  If the
variable is set to a fixed value, or it can only be changed by the
administrator, then it probably is not a vulnerability.

>CzarNews v1.14 Version - Remote File Include Vulnerabilities
>Link : http://www.root-security.org/danger/CzarNews.txt

If you search google.com for "CzarNews," then the 4th item is a
Secunia advisory for exactly the same vulnerability, which is
attributed to brOmstar and first announced sometime in March 2005.
That was not mentioned here.

>Simpnews <= All version - Remote File Include Vulnerabilities
>Link : http://www.root-security.org/danger/Simpnews.txt

It will be interesting to see the answer to str0ke's question about
this problem, since the source code suggests that there is no

>phphg Guestbook Signed.PHP - Remote File Include Vulnerabilities
>Link : http://www.root-security.org/danger/phphgGuestbook.txt

The original source code as quoted from this advisory says:

> # $phphg_real_path = "./";
> # include($phphg_real_path . 'common.php');

which doesn't seem exploitable as presented, since $phphg_real_path is
set to a static value that is not controlled by an attacker.

>Flog 1.1.2 Version - Remote File Include Vulnerabilities
>Link : http://www.root-security.org/danger/Flog.txt

this link gives the code example:

> # $FLog_dir_include = 'include/';
> ...
> require_once($FLog_dir_include.'core.inc.php');

and, again, the variable is set to a static value.

>wheatblog 1.0 Version - "wb_inc_dir" Parameter File Inclusion
>Link : http://www.root-security.org/danger/wheatblog.txt

which says:

> # require_once('./settings.php');
> ...
> # include_once("$wb_inc_dir/header.php");
> ...
># http://www.victim.com/wheatblog/view_links.php?wb_inc_dir=Command-Shell

view_links.php does not define $wb_inc_dir, but if we look at
settings.php, we have:

>	$wb_dir = 		'/www/wheatblog';  
>	$wb_inc_dir   = "$wb_dir/includes";

So, if the administrator sets $wb_dir to a fixed value, then
$wb_inc_dir cannot be controlled by an attacker.

>MD News 1 Version - Remote File Include Vulnerabilities
>Link : http://www.root-security.org/danger/MDNews.txt

the extracted code from this link says:

> # $configfile = "config.php";
> # require $configfile;

and gives a demonstration URL:

> # http://www.victim.com/MD News/latest.php?configfile=Command-Shell

but here, again, the variable is defined to a static value (this
particular source code can be seen from

I did not examine the claims for the other products that were listed
in the original post.

- Steve

More information about the VIM mailing list