[VIM] Mostly Bogus: ScarAdControl 1.1 Remote/Local File Inclusion Vulnerabilities
str0ke
str0ke at milw0rm.com
Mon Apr 9 12:29:56 UTC 2007
[milw0rm] 3682 << has been removed. I knew there was something fishy
about it :)
/str0ke
On 4/9/07, George A. Theall <theall at tenablesecurity.com> wrote:
> Milw0rm 3682 describes two flaws, neither of which looks valid to me, at
> least as BeyazKurt describes them:
>
> - scaradcontrol.php has this near the start:
>
> ### du musst die '//' davor entfernen !!
>
> // $sac_config_dir = "/www/user234/cats/scaradcontrol/";
>
> If my German's any good, this says you have to uncomment the definition
> of $sac_config_dir (and presumably define it according to your site's
> layout). Between that and the include(), there's no chance for an
> attacker to override the definition and hence gain control of the
> variable. So the only way the flaw is valid is if someone just unzips
> the distribution file in their document root and doesn't bother doing an
> install.
>
> - admin/index.php has this at lines 133 - 143:
>
> } elseif(md5($sac_pass)==$pass && md5($sac_user)==$user){
>
> if ($site=="code") {
>
> @code_box($id,$cat);
>
> } else {
>
> if(file_exists("$site.php")){
>
> include("$site.php");
>
> So ok, the flaw does exist but you can't exploit it unless you have
> credentials.
>
>
> George
> --
> theall at tenablesecurity.com
>
More information about the VIM
mailing list