[VIM] 60cycleCMS <= 2.5.0 Remote File Include Exploit

Steven M. Christey coley at linus.mitre.org
Tue Dec 22 20:41:11 UTC 2009

On Tue, 22 Dec 2009, George A. Theall wrote:

> With a bit of encouragement from Steve...

oh, great, blame me ;-)

> Exploit DB's #10551 looks bogus to me. PoC is:
> [60cycleCMS_path]/common/sqlConnect.php?DOCUMENT_ROOT=[SHELL 
> DIRECTORY]/something

So I wish I had the direct reference at hand, but I'm pretty sure that 
older PHPs allowed overwriting of $_SERVER variables.  How old, I'm not 
sure...  I think Stefan Esser did some writeup on this.  But now I've dug 
up a 2006 post to VIM where I said the same thing and apparently never 
followed up...

There's always the risk of somebody implementing their own version of 
register_globals and poisoning $_SERVER that way, but the code snippet 
doesn't give enough context.

Ah yes, Stefan saves the day on this last angle:


> Code snippet from 2.5.0, which is supposedly affected:
> // include your sql info file here
> $root = $_SERVER['DOCUMENT_ROOT'];
> require "$root/../config.php";

Yeah, I can see how this would raise questions.  Code inspection would be 

In CVE, we've been somewhat agnostic on this general point because of my 
vague recollection that older PHP's allowed $_SERVER to be directly 

- Steve

More information about the VIM mailing list