[VIM] Horde go.php question

George A. Theall theall at tenablesecurity.com
Wed Mar 22 09:19:02 EST 2006

security curmudgeon wrote:

> http://archives.neohapsis.com/archives/bugtraq/2006-03/0272.html
> http://archives.neohapsis.com/archives/bugtraq/2006-03/0366.html
> ---------- Forwarded message ----------
> From: security curmudgeon <jericho at attrition.org>
> To: Jan Schneider <jan at horde.org>
> Date: Wed, 22 Mar 2006 07:55:54 -0500 (EST)
> Subject: Re: CodeScan Advisory: Unauthenticated Arbitrary File Read in
> Horde
>     v3.09 and prior
> Hey Jan,
> : Just FYI, noone of the Horde developers was able to reproduce this, and
> : it should only be exploitable if you have a PHP version that has bugs in
> : both parse_url() and readfile().

I asked Jan about this and told him that I'm able to reproduce this
under php 4.4.0-pl1-gentoo as long as magic_quotes_gpc is disabled and
that the following PHP script successfully displays the password file if
run from the CLI under PHP 5.1.2-gentoo/0.4.8:

$url = "../../../../../../../../../../../etc/passwd" . chr(0) . ":/";

which suggests that the exploit should work with that version too. In
his reply, he didn't mention anything about which versions of PHP have
the bugs he eluded to, only that he tested it on 4.4.0 and it didn't
work but it did using the CLI SAPI of that version.

I sent him my php.ini file as well as Apache's server info output to
give him an idea how the first server is configured. That was yesterday
morning. I haven't heard back from him yet.


More information about the VIM mailing list