[VIM] TCExam code injection: why does this work? (and vendor ACK)

Steven M. Christey coley at mitre.org
Tue May 1 23:25:41 UTC 2007

Researcher: rgod
Ref: http://www.milw0rm.com/exploits/3816

This is a pretty complex manipulation.  It concentrates on a
SessionUserLang cookie and provides an attack:


which decodes to:


This value is fed into $language in the constructor for the
TMXResourceBundle class (see $lang_resources assignment in rgod's

$cachefile is set as:

  K_PATH_CACHE.basename(K_PATH_TMX_FILE, ".xml")."_".K_USER_LANG.".php")

and, since K_USER_LANG came from SessionUserLang, this would be set to
something like:


If $cachefile is this value, then how does it possibly make it through
this code?

  $this->cachefile = $cachefile;
  if (file_exists($this->cachefile)) { // read data from cache
	$this->resource = $tmx;
  } else {
          if (!empty($this->cachefile)) {
              // open cache file
              file_put_contents($this->cachefile, "<"."?php\n".
              "// CACHE FILE FOR LANGUAGE: ".$language."\n".
              "// DATE: ".date("Y-m-d H:i:s")."\n"

How could file_put_contents() possibly succeed with such a badly
formed filename?

Well - whatever it was, the vendor apparently fixed it:


  "TCExam 4.1.000 new release with security fixes."

The tce_tmx code is now changed to say:

   "// CACHE FILE FOR LANGUAGE: ".substr($language,0,2)."\n".

but I'm still confused about how $this->cachefile is opened in the
first place.  What did I miss?

- Steve

More information about the VIM mailing list