[VIM] Mostly Bogus: ScarAdControl 1.1 Remote/Local File Inclusion Vulnerabilities

George A. Theall theall at tenablesecurity.com
Mon Apr 9 12:16:59 UTC 2007


Milw0rm 3682 describes two flaws, neither of which looks valid to me, at 
least as BeyazKurt describes them:

- scaradcontrol.php has this near the start:

   ###  du musst die '//' davor entfernen !!

   // $sac_config_dir = "/www/user234/cats/scaradcontrol/";

If my German's any good, this says you have to uncomment the definition 
of $sac_config_dir (and presumably define it according to your site's 
layout). Between that and the include(), there's no chance for an 
attacker to override the definition and hence gain control of the 
variable. So the only way the flaw is valid is if someone just unzips 
the distribution file in their document root and doesn't bother doing an 
install.

- admin/index.php has this at lines 133 - 143:

   } elseif(md5($sac_pass)==$pass && md5($sac_user)==$user){

      if ($site=="code") {

           @code_box($id,$cat);

      } else {

           if(file_exists("$site.php")){

                 include("$site.php");

So ok, the flaw does exist but you can't exploit it unless you have 
credentials.


George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list