[VIM] Reneged: RE: FALSE -> DynamicPAD HomeDir RFI

Heinbockel, Bill heinbockel at mitre.org
Tue May 8 13:58:34 UTC 2007 

Doh!
Well, at least it's nice to see that their fix looks complete ;-)

I didn't see that notice posted when I checked earlier.
I used the posted download, which was most likely the
updated 1.03.31 code base. It did seem kind of
strange that this was in FRSIRT and SECUNIA though - they're
usually pretty good about checking this stuff.

And, of course it doesn't help that the vendor does not
provide versioning info in their download packages.


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615 

>-----Original Message-----
>From: vim-bounces at attrition.org 
>[mailto:vim-bounces at attrition.org] On Behalf Of str0ke
>Sent: Tuesday, 08 May, 2007 09:32
>To: Vulnerability Information Managers
>Subject: Re: [VIM] FALSE -> DynamicPAD HomeDir RFI
>
>I don't have the source code to go back over 1.02 but it did seem
>vulnerable before.
>
>Their site states.
>A dangerous vulnerability has been detected in DynamicPAD 1.02. We
>strongly suggest that you  upgrade to the latest version as soon as
>possible!
>
>/str0ke
>
>On 5/8/07, Heinbockel, Bill <heinbockel at mitre.org> wrote:
>> MILW0RM:3868
>> SECUNIA:25176
>> FRSIRT:ADV-2007-1681
>> BID:23861
>>
>> The second line (before any use of $HomeDir) in index.php and
>> dp_logs.php:
>> >  require_once( "dp_conf.php" );
>>
>>
>> The first lines in dp_conf.php read:
>> >  Error_Reporting(0);
>> >
>> >  if ( file_exists( "dp_conf.php.inc" ) ) {
>> >    include( "dp_conf.php.inc" );
>> >  } else die( '<center>Unable to find dp_conf.php.inc</center>' );
>>
>>
>> And, the third instruction in INSTALL.txt reads:
>> > Rename "dp_conf.php.inc.default" into "dp_conf.php.inc" and
>> > "dp_conf.dat.default" into "dp_conf.dat".
>>
>> Finally, of course, in the packaged dp_conf.php.inc.default 
>file (line
>> 12):
>> >  $HomeDir           = "";
>>
>>
>> So, if the user follows the installation instructions, there 
>is no RFI.
>> If the user forgets the "install", the software dies. No 
>vulnerability.
>>
>>
>> William Heinbockel
>> Infosec Engineer, Sr.
>> The MITRE Corporation
>> 202 Burlington Rd. MS S145
>> Bedford, MA 01730
>> heinbockel at mitre.org
>> 781-271-2615
>>
>

More information about the VIM mailing list