[VIM] Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector

George A. Theall theall at tenablesecurity.com
Fri Oct 19 16:17:06 UTC 2007


Has anyone had a chance to look at Milw0rm 4510? I have two comments 
about it...

First, it requires that register_globals be enabled so that 
drupal_unset_globals() in includes/bootstrap.inc tries to unset 
variables. But Drupal going back at least to version 4.6.3 comes with a 
.htaccess file intended to disable register_globals, which would seem to 
significantly reduce the number of possibly installs that could be 
attacked successfully.

Second, I'm not clear where the hash value used in the PoC comes from. I 
implemented the code from Esser's advisory in a little hash value 
calculator, and running that for the '_menu' parameter tells me to use 
'-800928983' for PHP 4.x or '-312030023' for PHP 5.x. And indeed 
substituting the first value works just dandy for me on my test system.

George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list