[VIM] probably true: SimpGB RFI, likely dynamic variable evaluation
Steven M. Christey
coley at mitre.org
Thu May 24 18:01:01 UTC 2007
Ref: BUGTRAQ SimpGB v1.46.0 Remote File Include Exploit
First glance at guestbook.php shows:
and config.php (distributed as config.dist.php) has:
$path_simpgb = getenv("DOCUMENT_ROOT")."/simpgb";
but then, back in guestbook.php, we have:
whose name, history has demonstrated, suggests the possibility of
dynamic variable evaluation.
Sure enough, includes/global.inc has:
while( list($var, $param) = @each($_GET) )
if((substr($var,0,4)!="url_") && (substr($var,0,5)!="path_"))
$$var, total awesomeness.
But wait! This is in a nested include. Where does the RFI come in,
Ah, at the end of global.inc, we have:
I've only done source analysis though, and this is nested deep enough
that I'm not 100% confident in my conclusions.
More information about the VIM