[VIM] CVE dispute of Enigma WordPress RFI
Steven M. Christey
coley at mitre.org
Thu Jan 4 15:04:34 EST 2007
The quoted code is:
require_once($boarddir . '/PortalSources/Portal.ini.php');
$boarddir is not defined in Enigma2.php, but there's an include of an
SSI.php file before that use of $boarddir:
$SSIpath = '/home/username/public_html/SSI.php';
$SSIpath is expected to be modified by the user.
However, SSI.php doesn't exist in Enigma2. Some research shows that
Enigma2 uses SMF. A download of SMF 1.1.1 yields SSI.php:
global $boardurl, $boarddir, $sourcedir, $webmaster_email, $cookiename;
with no other uses of $boarddir.
However, later on we have:
require_once(dirname(__FILE__) . '/Settings.php');
and Settings.php has:
$boarddir = dirname(__FILE__); # The absolute path to the forum's folder. (not just '.'!)
The only apparent use of later variable overwrites ($$varname=x) is in
ManageServer.php with fixed variable names, which appears to be
intended for admin access only.
So, it looks like $boarddir can't be overwritten by the attacker.
More information about the VIM