[VIM] RSSMini Exploit -- Probably Not

George A. Theall theall at tenablesecurity.com
Thu Feb 15 15:40:31 EST 2007

This concerns <http://www.milw0rm.com/exploits/3316>:

I just grabbed the source for rssminifolder 
(http://rssmini.com/rssminifolder.zip). folder/index.php looks like this:

   include("config.php"); ^M
   <div id="ad"><?php include("$url/ads.php"); ?></div>^M

There's no config.php file by default in the folder directory so this 
will work if register_globals is enabled and someone just unzips a copy 
of the software under their document directory. However, to actually 
install it, you're supposed to copy the config.php file from folder's 
parent directory after editing it, and that has this line:

   $url = "http://rssmini.com/demo5";^M

I see nowhere in either file where $url can be overwritten by 
user-supplied input.

The other files mentioned in the milw0rm posting behave the same as 
index.php, at least as far as the exploit is concerned.

So in sum, this only looks like a problem if someone hasn't installed 
the software and has register_globals enabled.

P.S: Hope I got it right this time, str0ke. :-)

theall at tenablesecurity.com

More information about the VIM mailing list