[VIM] False: Pluck 4.3 themes.php Remote File Inclusion and disclosure

George A. Theall theall at tenablesecurity.com
Thu Aug 2 19:19:00 UTC 2007

The issues involving Pluck that were reported today by Aria Security 
look bogus to me. Their posting is here:


First, we supposedly have a remote file include, but looking at the code 
in 'data/inc/theme.php' from version 4.3 we see:

                           ---- snip, snip, snip ----
function read_dir($dir) {
    $path = opendir($dir);
    while (false !== ($file = readdir($path))) {
        if(($file !== ".") and ($file !== "..") and ($file !== 
"themepref.php") a
nd ($file !== "predefined_variables.php")) {
    if($dirs) {

        foreach ($dirs as $dir) {
           include ("$dir/theme.php");
                           ---- snip, snip, snip ----

In other words, the code claimed to be vulnerable occurs in a function 
which is called with an argument that is not under the attacker's control.

Second, there's supposedly a file disclosure issue involving the same 
script. The actual code looks like this:

                           ---- snip, snip, snip ----
//Save the theme-data
if(isset($_POST['Submit'])) {
$data = "data/inc/themes/themepref.php";
$file = fopen($data, "w");
fputs($file, "<?php \$themepref = \"$cont\"; ?>");
echo "$lang_theme3
<META HTTP-EQUIV=\"REFRESH\" CONTENT=\"3; URL=?action=options\">"; }
                           ---- snip, snip, snip ----

Thus, the code is actually writing to a specific file -- no chance of 
reading and displaying its contents.

Lastly... you have to be logged in to access the script as it starts 
with this:

                           ---- snip, snip, snip ----
//Check if we're logged in
if ($_SESSION["cmssystem_loggedin"] != "ok") {
echo "access denied";
exit; }
                           ---- snip, snip, snip ----

theall at tenablesecurity.com

More information about the VIM mailing list