[VIM] ClanSys issue might be eval injection, not file inclusion

Steven M. Christey coley at mitre.org
Tue May 2 17:31:42 EDT 2006



  Advisory: Clansys <= 1.1 PHP Code Insertion Vulnerability.

This looks like eval injection, not file inclusion, as most VDBs seem
to be claiming.

from the post:

  You can found vulnerable code at line 126 as an
  eval("?>" . $output);
  Purely nice coding isn't it?;)

That's a funny-looking eval to me with the "?>" starting out, but
presumably the $page variable feeds into $output.

Where people got tripped up on file inclusion was in the demonstration


Note that the page parameter actually uses PHP <?> sequences to
execute the include statement.  Using the code above, we would have:

  eval("?>" . "<?include($s);?>");

which is


Turns out that the leading "?>" is a hint to eval() to support parsing
of "<?" and "?>" sequences - otherwise you'd get a parse error.  Cute.

- Steve

More information about the VIM mailing list