[VIM] probably true: SimpGB RFI, likely dynamic variable evaluation

Steven M. Christey coley at mitre.org
Thu May 24 18:01:01 UTC 2007

Researcher: the_Edit0r
Ref: BUGTRAQ SimpGB v1.46.0 Remote File Include Exploit

First glance at guestbook.php shows:


and config.php (distributed as config.dist.php) has:

   $path_simpgb = getenv("DOCUMENT_ROOT")."/simpgb";

but then, back in guestbook.php, we have:


whose name, history has demonstrated, suggests the possibility of
dynamic variable evaluation.

Sure enough, includes/global.inc has:

   while( list($var, $param) = @each($_GET) )
		if((substr($var,0,4)!="url_") && (substr($var,0,5)!="path_"))

$$var, total awesomeness.

But wait!  This is in a nested include.  Where does the RFI come in,
utilizing $path_simpgb?

Ah, at the end of global.inc, we have:


I've only done source analysis though, and this is nested deep enough
that I'm not 100% confident in my conclusions.

- Steve

More information about the VIM mailing list