[VIM] [uncertain] (mostly) phpFaber TopSitespath traversal

GM darkfig gmdarkfig at gmail.com
Fri Apr 20 17:58:15 UTC 2007


Hi Steven M. Christey =)

Quote from the thread:
>#Exploit:/Path/admin/index.php?page=template&modify=../../../../../../etc/passwd
>#Exploit:/Path/admin/index.php?page=template&modify=inc/config.ini.php

./admin/template.php:
$_GET['modify'] = basename($_GET['modify']);
[...]
$f = array();
$files = cpGetFldContentFiles(true,PATH_TPL);
foreach($files as $k=>$v) $f[FLD_TPL.$v] = $v;
$files = cpGetFldContentFiles(true,PATH_LNG);
foreach($files as $k=>$v) $f[FLD_TPL.FLD_LNG_.$v] = $v;
$files = cpGetFldContentFiles(true);
$skin = $ini->read('APPLICATION', 'skin').'/';
foreach($files as $k=>$v) $f[FLD_SKIN.$skin.$v] = $v;
$files = $f;
$files = array_flip($files);
[...]
elseif($files[$_GET['modify']]){
  if(!$files[$_GET['modify']]) $err_msg = "Please select file";
  else{
    $fn = PATH_SITE.$files[$_GET['modify']];
    $content = PrepareTplData(cpReadFile($fn));
  }
[...]
function PrepareTplData($s, $back = false)
{
  if (!$back) {
    $s = htmlspecialchars($s);
    return $s;
  }
  else {
    $s = stripslashes($s);
    return ReverseHtmlchars($s);
  }
}

./inc/lib/lib.inc.php:
function cpReadFile($fn){
  return @implode('', at file($fn));
}

This can lead to file disclosure, but this can't be exploited. You
can't use ../ because basename() is applied to $_GET['modify'] and the
malicious value is not in the array $files, so this is not vulnerable
to these exploits. Tested.

2007/4/19, Steven M. Christey <coley at mitre.org>:
>
> Who: Dr.RoVeR
> Where: BUGTRAQ:20070411 nEw Bug :D
>    URL:http://www.securityfocus.com/archive/1/archive/1/465339/100/100/threaded
>
> The researcher quotes a couple lines from index.php, but this is a red
> herring; these lines only set "page" to a static value when the
> provided parameter is missing or invalid.
>
> template.php (reachable through the "template" page in
> admin/index.php) in the provided download has:
>
>   if ($_GET['modify']) $_GET['modify'] = basename($_GET['modify']);
>
> but then later we have:
>
>   elseif($files[$_GET['modify']]){
>     if(!$files[$_GET['modify']]) $err_msg = "Please select file";
>     else{
>       $fn = PATH_SITE.$files[$_GET['modify']];
>       $content = PrepareTplData(cpReadFile($fn));
>     }
>   }
>
> and $fn is later used in an include.
>
> HOWEVER... on first glance, it seems like $files might be a whitelist,
> and $files is not specified in the attack url, so this conditional
> might not be satisfied.
>
> But given that the researcher quoted the entirely wrong section of
> code, this doesn't look like a grep-and-gripe situation, so maybe I'm
> missing something.  extra.php looks like it might have something:
>
>   $fn = PATH_SITE.$path.$_GET['modify'];
>   $content = cpReadFile($fn);
>
> but I don't see this being directly included by template.php.
>
> So, I'm a little mixed here.
>
> - Steve
>


More information about the VIM mailing list