[VIM] ScarNews 1.2.1 (sn_admin_dir) Local File Inclusion Exploit

George A. Theall theall at tenablesecurity.com
Mon Apr 9 15:32:55 UTC 2007

Milw0rm 3687 is for a local file include in a German news script. If I 
read the PoC correctly, the flaw lies with the 'sn_admin_dir' parameter 
of the 'scarnews.inc.php' script. The vendor seems to have just patched 
several files; eg,


yet the version remains pegged at 1.2.1. Anyone have a copy of the 
affected file before the changes? The version I just grabbed has this at 
the top:

   if(!defined("SN_INCLUDE")) {
           die("ACCESS FORBIDDEN");

preventing it from being called directly and which I suspect is what's 
just been changed. Later in the file, we have global variable 
registration as long as the parameter starts with "sn_":

   $sn_get_post = $_REQUEST;
   foreach ($sn_get_post as $sn_key => $sn_value) {
       if(ereg("^sn_",$sn_key)) { ${$sn_key} = $sn_value; }

and then:

   if(file_exists($sn_admin_dir."admin/config.inc.php")) {            ###
        include($sn_admin_dir."admin/config.inc.php");                ###
   } else {

So, the issue is probably valid.

theall at tenablesecurity.com

More information about the VIM mailing list