[VIM] ModuleBased CMS file include - CVE dispute

Heinbockel, Bill heinbockel at mitre.org
Fri Sep 1 14:08:59 EDT 2006


Researcher: ScorpinO
BUGTRAQ:20060829 ModuleBased CMS alfa 1 Multiple Remote File Inclusion
http://www.securityfocus.com/archive/1/archive/1/444897/100/0/threaded

Provides several code snippets that show an include with the
$_SERVER[DOCUMENT_ROOT] parameter, including:

/admin/avatar.php:
<?php
  include_once($_SERVER[DOCUMENT_ROOT]."/libs/profile.class.php");
  include($_SERVER[DOCUMENT_ROOT]."/libs/config.php");
  ...

with the POC: htt
p://www.example.com/[mbcms]/admin/avatar.php?_SERVER=[evil script]


In PHP it is not possible to redeclare the _SERVER global array or the
_SERVER[DOCUMENT_ROOT] index. Hence, there is no possible way for an
attacker
to modify any of the variables inside the claimed include statements.

A download and verification of the code shows the php is as presented
by
the researcher. So no chance of a copy/paste error...


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615


More information about the VIM mailing list