[VIM] phpList "LFI" (OSVDB 50747 / Nessus 35259 / BID 32841)

security curmudgeon jericho at attrition.org
Tue Dec 23 02:00:14 UTC 2008 

Below is confirmation that the recently reported "local file inclusion" is 
actually vulnerable to a remote file inclusion. This was discovered by 
Tenable during a quick examination of the 2.10.8 code base.

---------- Forwarded message ----------
From: Michiel Dethmers <michiel at tincan.co.uk>
To: security curmudgeon <jericho at attrition.org>
Date: Mon, 22 Dec 2008 20:56:55 -0200
Subject: Re: recent vulnerability more severe than local file inclusion? (fwd)


Hi,

checking the php 5 docs, yes, I think you're right and with php5 it may
also be a remote inclusion as the docs state "As of PHP 5.0.0, this
function can also be used with /some/ URL wrappers. Refer to List of
Supported Protocols/Wrappers <http://ar.php.net/manual/en/wrappers.php>
for a listing of which wrappers support stat()
<http://ar.php.net/manual/en/function.stat.php> family of functionality."

It is the issue as you describe, with the cline variable not being
initialised correctly.

Michiel

security curmudgeon wrote:
>
>
> ---------- Forwarded message ----------
> From: security curmudgeon <jericho at attrition.org>
> To: phplist-developers at tincan.co.uk
> Date: Mon, 22 Dec 2008 12:06:25 +0000 (UTC)
> Subject: recent vulnerability more severe than local file inclusion?
>
>
> Hello phpList developers,
>
> Regarding your recent announcement (http://www.phplist.com/?lid=273),
> your wording implies the vulnerability is a local file inclusion
> issue. However, after a cursory code examination, I believe the issue
> is either a remote file inclusion (considerably more serious), or
> there is potentially a second vulnerability:
>
> Look at admin/index.php:
>
>  if (!ini_get("register_globals") || ini_get("register_globals") ==
> "off") {
>    # fix register globals, for now, should be phased out gradually
>    # sure, this gets around the entire reason that
> regLANGUAGE_SWITCHister globals
>    # should be off, but going through three years of code takes a long
> time....
>
>    foreach ($_REQUEST as $key => $val) {
>      $$key = $val;
>    }
>  }
>  ...
>  if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
>    print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
>    include $_SERVER["ConfigFile"];
>  } elseif (isset($cline["c"]) && is_file($cline["c"])) {
>    print '<!-- using '.$cline["c"].' -->'."\n";
>    include $cline["c"];
>
> Regardless of PHP's register_globals, an attacker has control of
> cline[c], which gets passed to an include(). 2.10.8 appears to have
> fixed the issue by explicitly setting cline to an empty array after
> the register_globals emulation code block.
>
> If I understand this correctly, is_file() works with URLs such as
> //somehost/file and ftp://somehost/file, at least as of PHP 5.0.0.
>
> Can you please confirm?
>
> Brian
> OSVDB.org

-- 
Michiel

--
Michiel Dethmers
Tincan Limited
London, Buenos Aires & Machynlleth
Tel: +44 (0)1654 702413
Email: michiel at tincan.co.uk
pgp: http://tincan.co.uk/michiel.asc

More information about the VIM mailing list