[VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability

George A. Theall theall at tenablesecurity.com
Tue Jul 31 02:06:16 UTC 2007

Another advisory from ilker Kandemir:


Sample exploit:


Actual code from 2006-06-24_v10:

                        ---- snip, snip, snip ----
   function rig_check_src_file($name)
          // disable auto-globals from CGI params -- RM 20060624 - v1.0
           ini_set("register_globals", "0");

           // complain if that didn't work
           if (ini_get("register_globals") == 1)
               echo "<h1>RIG Security Error</h1>";
           $name = str_replace("..", ".", str_replace("://", "", $name));
           return $name;
   require_once(rig_check_src_file($dir_abs_src . "entry_point.php"));
                        ---- snip, snip, snip ----

By the way, there is no executable PHP code before the function definition.

I don't think any version of PHP allows for changing register_globals 
via ini_set() -- see <http://us3.php.net/manual/en/ini.php#ini.list> -- 
which is probably why the author checks whether it is set and exits if 
so. But regardless, the str_replace() later on in rig_check_src_file() 
would certainly void the possibility of a remote file include attack.

theall at tenablesecurity.com

More information about the VIM mailing list