[VIM] mxBB Smartor Album - possible milw0rm dispute

George A. Theall theall at tenablesecurity.com
Wed Nov 8 17:13:20 EST 2006

Steven M. Christey wrote:

> Apparently an RFI was reported in
> http://www.milw0rm.com/exploits/2723, which seems to be the only raw
> source.  BID:20932 and XF:smartor-album-file-include(30015) are other
> references.  However, the milw0rm URL has since become blank.  I
> emailed str0ke about it, and he recalled removing it because it didn't
> look legit after some investigation.  

I set up Smartor Album 1.02 and mxBB 2.7.7 and, after looking at the
code and playing with it a bit, I doubt the issue is valid. The
manipulation of global variables that I had noticed in common.php only
unsets them if register_globals is enabled; I didn't see any way for the
supposedly affected module_root_path parameter to be manipulated by an
attacker. Even trying Esser's trick of passing along numeric parameters
to avoid unsetting the actual parameter didn't work -- the script dies
with "Hacking attempt".

theall at tenablesecurity.com

More information about the VIM mailing list