[VIM] source VERIFY - PEGames RFI

Steven M. Christey coley at mitre.org
Thu Nov 30 19:14:46 EST 2006


Researcher: DeltahackingTEAM

Ref: http://www.milw0rm.com/exploits/2840


We have another variable extraction issue.  These are fun to find,
even though you always have to remember to look out for them.

1) "Download" URL provided in advisory has no "Index.php", rather, an
   "index.php".

2) index.php has:

   include_once("./settings.php");
   ...
   include_once("$abs_url/display.php");

3) settings.php sets $abs_url to a constant value.  A-ha!  Looks like
   typical dispute (wanna guess what my original subject line said?)

4) BUT... the next lines in index.php after that include are:

  $types_to_register = array('GET', 'POST', 'COOKIE', 'SESSION', 'SERVER', 'FILES');
  foreach ($types_to_register as $type) {
  	$arr = @${'HTTP_' . $type . '_VARS'};
  	if (@count($arr) > 0)
  		extract($arr, EXTR_OVERWRITE);
  }

5) and, sure enough, later in the code, we have:

      include_once("$abs_url/cookie.php");

   as well as

      include_once("$abs_url/template2.php");


- Steve


More information about the VIM mailing list