[VIM] Storyteller CMS (var) Local File Inclusion Vulnerability

George A. Theall theall at tenable.com
Fri Sep 17 20:57:18 CDT 2010

BorN To K!LL reported a local file inclusion vulnerability in  
StoryTeller CMS -- covered by Exploit DB 14996 / Bugtraq 43201 -- and  
offers the following code snippet from 'core.php':

     function GetTemplate($var)
         if (file_exists("templates/$var.tmp.php"))
             die ("Error: Can't open template $var");
         return $EST_TEMPLATE;

as well as the following POC:


How's that exploitable? The file only uses '$var' as an argument in  
various functions. And there's no way I see for an attacker to control  
input to 'GetTemplate()'.

theall at tenablesecurity.com

More information about the VIM mailing list