[VIM] CF Image Hosting Script v1.3.8 Remote File Inclusion
George A. Theall
theall at tenable.com
Mon Aug 30 14:04:15 CDT 2010
FYI: the issue covered by Exploit DB 14837 / Bugtraq 42845 isn't
accurate. Look at this snippet of code from the copy of inc/config.php
included in version 1.3.81:
---- snip, snip, snip ----
$settings = $setting_db->fetch_all();
// LANGUAGE PACK
if(isset($_GET['lang'])){
setcookie('lang', input($_GET['lang']), null);
if
(file_exists('languages/'.input($_GET['lang']).'.lang.php'))
$settings['SET_LANGUAGE'] =
input($_GET['lang']);
}
if( isset($_COOKIE['lang']) && file_exists('languages/'.
$_COOKIE['la
ng'].'.lang.php') && !isset($_GET['lang']))
$settings['SET_LANGUAGE'] = $_COOKIE['lang'];
if(isset($settings['SET_LANGUAGE']) &&
file_exists('languages/'.$setting
s['SET_LANGUAGE'].'.lang.php'))
@require('languages/'.
$settings['SET_LANGUAGE'].'.lang.php');
---- snip, snip, snip ----
The '$settings' array is populated with configuration settings from
the database through the 'fetch_all' method in 'lib/
arraydb.class.php', not from parameters that an attacker could control.
Still, the code suggests an exploitable local file inclusion
vulnerability involving the 'lang' GET parameter / COOKIE value.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list