[VIM] 60cycleCMS <= 2.5.0 Remote File Include Exploit

George A. Theall theall at tenablesecurity.com
Tue Dec 22 21:05:33 UTC 2009

On Dec 22, 2009, at 3:41 PM, Steven M. Christey wrote:

> So I wish I had the direct reference at hand, but I'm pretty sure  
> that older PHPs allowed overwriting of $_SERVER variables.  How old,  
> I'm not sure...  I think Stefan Esser did some writeup on this.  But  
> now I've dug up a 2006 post to VIM where I said the same thing and  
> apparently never followed up...
> There's always the risk of somebody implementing their own version  
> of register_globals and poisoning $_SERVER that way, but the code  
> snippet doesn't give enough context.
> Ah yes, Stefan saves the day on this last angle:
> http://www.suspekt.org/2009/02/06/some-facts-about-the-phplist-vulnerability-and-the-phpbbcom-hack/

To be clear, the problem Esser wrote about involves code that  
explicitly copies request parameter values into PHP variables to  
emulate PHP's register_globals when that's off:

   if (!ini_get("register_globals")
   	|| ini_get("register_globals") == "off") {
     # fix register globals, for now, should be phased out gradually
     # sure, this gets around the entire reason that register globals
     # should be off, but going through three years of code takes a  
long time....
     foreach ($_REQUEST as $key => $val) {
       $$key = $val;

>> Code snippet from 2.5.0, which is supposedly affected:
>> // include your sql info file here
>> $root = $_SERVER['DOCUMENT_ROOT'];
>> require "$root/../config.php";
> Yeah, I can see how this would raise questions.  Code inspection  
> would be needed.

Indeed. There's nothing of the sort going on in the code snippet from  

theall at tenablesecurity.com

More information about the VIM mailing list