[VIM] PHPSaTK remote file inclusion - CVE dispute

Heinbockel, Bill heinbockel at mitre.org
Tue Sep 26 17:15:07 EDT 2006

Researcher: Root3r_H3ll

BUGTRAQ:20060924 phpstak <= Remote File Include Vulnerability

The researcher states that the following code in loader.php in
PHPSaTk is vulnerable to PHP remote file inclusion:
>>  require $GLOBALS 'config'
With the exploit: [url]/[path]/loader.php?GLOBALS=Sh3ll
[Ignoring the fact that you can't overwrite the GLOBALS array,
only the indices/values within...]

Looking at the PHPSaTk Sourceforge site:

In sat-beta1 - phpsatk-beta1.zip: the only require statement
in loader.php is on line 67:
>>  require $GLOBALS['config']->appdir . $GLOBALS['appname'] .
However, on line 25:
>>  $GLOBALS['config'] = new Config('configs/global.conf','ini');

So, in order to exploit this, the attacker would need to modify the
configs/global.conf file. The $GLOBALS['appname'] may be vulnerable
to directory traversal attacks, however any attack vectors are not
immediately obvious upon source code inspection.

William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org

More information about the VIM mailing list