[VIM] [uncertain] (mostly) phpFaber TopSitespath traversal

Steven M. Christey coley at mitre.org
Thu Apr 19 08:17:08 UTC 2007


Who: Dr.RoVeR
Where: BUGTRAQ:20070411 nEw Bug :D
   URL:http://www.securityfocus.com/archive/1/archive/1/465339/100/100/threaded

The researcher quotes a couple lines from index.php, but this is a red
herring; these lines only set "page" to a static value when the
provided parameter is missing or invalid.

template.php (reachable through the "template" page in
admin/index.php) in the provided download has:

  if ($_GET['modify']) $_GET['modify'] = basename($_GET['modify']);

but then later we have:

  elseif($files[$_GET['modify']]){
    if(!$files[$_GET['modify']]) $err_msg = "Please select file";
    else{
      $fn = PATH_SITE.$files[$_GET['modify']];
      $content = PrepareTplData(cpReadFile($fn));
    }
  }

and $fn is later used in an include.

HOWEVER... on first glance, it seems like $files might be a whitelist,
and $files is not specified in the attack url, so this conditional
might not be satisfied.

But given that the researcher quoted the entirely wrong section of
code, this doesn't look like a grep-and-gripe situation, so maybe I'm
missing something.  extra.php looks like it might have something:

  $fn = PATH_SITE.$path.$_GET['modify'];
  $content = cpReadFile($fn);

but I don't see this being directly included by template.php.

So, I'm a little mixed here.

- Steve


More information about the VIM mailing list