[VIM] phpGraphy
George A. Theall
theall at tenablesecurity.com
Thu Jun 10 09:22:08 CDT 2010
Bugtraq 40506 covers a remote file include vulnerability in phpGraphy
version 0.9.13b. [I believe Exploit DB 12837 covered it as well but
that no longer exists now.] The BID shows the following PoC:
http://www.example.com/phpgraphy-0.9.13b/base/misc/mysql_cleanup.php?include_path=
[SHELLCODE]
Looking at the source of the supposedly affected file in version
0.9.13b, though, you can see this is completely bogus:
<html>
<pre>
<?
...
// COMMENT OUT THE FOLLOWING LINE TO RUN THE SCRIPT //
die("This is a protection to avoid others people to run this
script, to run it, you need to edit the file and remove the line with
this text");
// Include path to change if you've moved the script from its
original location
$include_path="../";
// You shouldn't need to edit anything below
if (is_file($include_path."config.inc.php")) include_once
$include_path."config.inc.php"; else die("Could not find
config.inc.php, please modify include_path in the header section ");
if (is_file($include_path."include/db_mysql.inc.php")) include_once
$include_path."include/db_mysql.inc.php"; else die("Could not find
db_mysql.inc.php, please modify the include_path in the header
section");
Even if an admin commented out the initial 'die()', '$include_path' is
hardcoded, and, the first 'include_once()' call includes
'$include_path/config.inc.php', which doesn't exist because the config
file is actually stored in '../../conf' and is named 'config.ini.php'
so the script will stop executing without ever trying to include a
function.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list