[VIM] RSSMini Exploit -- Probably Not

Steven M. Christey coley at linus.mitre.org
Thu Feb 15 17:23:42 EST 2007

On Thu, 15 Feb 2007, George A. Theall wrote:

>    include("config.php"); ^M
>    ...
>    <div id="ad"><?php include("$url/ads.php"); ?></div>^M
> There's no config.php file by default in the folder directory so this
> will work if register_globals is enabled and someone just unzips a copy
> of the software under their document directory.

Oh.  My.  God.

I can't believe this... the application doesn't exit on a failed include?

I just tested this and it's true, but... wow.  Oh wait, I see - require()
will trigger a fatal exit.  OK.  I didn't know about this feature of PHP.

But - there's a whole bunch of vulnerabilities waiting to be found that
rely on this behavior, 'cause I bet a bunch of PHP programmers don't
really understand this.  Is it protected against traversal and RFI, but
uses user input?  Fine, just use an invalid value, trigger a failed
include, and related variables become yours.

Ya learn something new every day.

- Steve

More information about the VIM mailing list