[VIM] CVE dispute of Enigma WordPress RFI

Steven M. Christey coley at mitre.org
Thu Jan 4 15:04:34 EST 2007

Researcher: xoron
Ref: http://www.securityfocus.com/archive/1/archive/1/455555/100/0/threaded

The quoted code is:

  require_once($boarddir . '/PortalSources/Portal.ini.php');

$boarddir is not defined in Enigma2.php, but there's an include of an
SSI.php file before that use of $boarddir:

  $SSIpath = '/home/username/public_html/SSI.php';



$SSIpath is expected to be modified by the user.

However, SSI.php doesn't exist in Enigma2.  Some research shows that
Enigma2 uses SMF.  A download of SMF 1.1.1 yields SSI.php:

  global $boardurl, $boarddir, $sourcedir, $webmaster_email, $cookiename;

with no other uses of $boarddir.

However, later on we have:

  require_once(dirname(__FILE__) . '/Settings.php');

and Settings.php has:

  $boarddir = dirname(__FILE__);		# The absolute path to the forum's folder. (not just '.'!)

The only apparent use of later variable overwrites ($$varname=x) is in
ManageServer.php with fixed variable names, which appears to be
intended for admin access only.

So, it looks like $boarddir can't be overwritten by the attacker.

- Steve

More information about the VIM mailing list