[VIM] Download Management for PHP-Fusion Multiple Local File Include Vulnerabilities

George A. Theall theall at tenablesecurity.com
Tue Feb 5 15:55:23 UTC 2008

Has anyone looked at Bugtraq 27618 yet? I haven't seen the original  
advisory, but going by what's in the BID, I'm not sure the issues are  
valid, but my track record's been pretty poor lately so you probably  
should do your own research. :-(

- infusion.php starts by checking a couple of things, one of which is  
a define for "IN_FUSION". If that's not defined, it redirects to  
"../../index.php" and exits before reaching any code involving the  
supposedly-affected parameter.

- download_management_admin.php starts off by including PHP-Fusion's  
maincore.php, and that has support for extracting GET / POST variables  
if register_globals is disabled. But after that, maincore.php queries  
its database and populates the 'settings' array, including  
'settings[locale]', with the results. And I didn't find anywhere else  
that an attacker could regain control of the array variable.

theall at tenablesecurity.com

More information about the VIM mailing list