[VIM] ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit
George A. Theall
theall at tenablesecurity.com
Mon Apr 9 15:32:55 UTC 2007
Milw0rm 3687 is for a local file include in a German news script. If I
read the PoC correctly, the flaw lies with the 'sn_admin_dir' parameter
of the 'scarnews.inc.php' script. The vendor seems to have just patched
several files; eg,
http://www.scar4u.de/news/index.php?sn_show_news=117
yet the version remains pegged at 1.2.1. Anyone have a copy of the
affected file before the changes? The version I just grabbed has this at
the top:
if(!defined("SN_INCLUDE")) {
die("ACCESS FORBIDDEN");
}
preventing it from being called directly and which I suspect is what's
just been changed. Later in the file, we have global variable
registration as long as the parameter starts with "sn_":
$sn_get_post = $_REQUEST;
foreach ($sn_get_post as $sn_key => $sn_value) {
if(ereg("^sn_",$sn_key)) { ${$sn_key} = $sn_value; }
}
and then:
if(file_exists($sn_admin_dir."admin/config.inc.php")) { ###
include($sn_admin_dir."admin/config.inc.php"); ###
} else {
So, the issue is probably valid.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list