What PHP version, environment, and operating system did you use to
test this? Did you use a real web site, or did you just look at the
source code?
When a variable is used in a require or include statement, you must
make sure that the variable can be controlled by an attacker. If the
variable is set to a fixed value, or it can only be changed by the
administrator, then it probably is not a vulnerability.
>CzarNews v1.14 Version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/CzarNews.txt
If you search google.com for "CzarNews," then the 4th item is a
Secunia advisory for exactly the same vulnerability, which is
attributed to brOmstar and first announced sometime in March 2005.
That was not mentioned here.
>Simpnews <= All version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/Simpnews.txt
It will be interesting to see the answer to str0ke's question about
this problem, since the source code suggests that there is no
vulnerability.
but here, again, the variable is defined to a static value (this
particular source code can be seen from
http://scripts.ringsworld.com/news-publishing/mdnews/latest.php.html)
I did not examine the claims for the other products that were listed
in the original post.
This post appears to have some errors.
What PHP version, environment, and operating system did you use to
test this? Did you use a real web site, or did you just look at the
source code?
When a variable is used in a require or include statement, you must
make sure that the variable can be controlled by an attacker. If the
variable is set to a fixed value, or it can only be changed by the
administrator, then it probably is not a vulnerability.
>CzarNews v1.14 Version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/CzarNews.txt
If you search google.com for "CzarNews," then the 4th item is a
Secunia advisory for exactly the same vulnerability, which is
attributed to brOmstar and first announced sometime in March 2005.
That was not mentioned here.
>Simpnews <= All version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/Simpnews.txt
It will be interesting to see the answer to str0ke's question about
this problem, since the source code suggests that there is no
vulnerability.
>phphg Guestbook Signed.PHP - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/phphgGuestbook.txt
The original source code as quoted from this advisory says:
> # $phphg_real_path = "./";
> # include($phphg_real_path . 'common.php');
which doesn't seem exploitable as presented, since $phphg_real_path is
set to a static value that is not controlled by an attacker.
>Flog 1.1.2 Version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/Flog.txt
this link gives the code example:
> # $FLog_dir_include = 'include/';
> ...
> require_once($FLog_dir_include.'core.inc.php');
and, again, the variable is set to a static value.
>wheatblog 1.0 Version - "wb_inc_dir" Parameter File Inclusion
>Vulnerability
>
>Link : http://www.root-security.org/danger/wheatblog.txt
which says:
> # require_once('./settings.php');
> ...
> # include_once("$wb_inc_dir/header.php");
> ...
># http://www.victim.com/wheatblog/view_links.php?wb_inc_dir=Command-Shell
view_links.php does not define $wb_inc_dir, but if we look at
settings.php, we have:
> $wb_dir = '/www/wheatblog';
> $wb_inc_dir = "$wb_dir/includes";
So, if the administrator sets $wb_dir to a fixed value, then
$wb_inc_dir cannot be controlled by an attacker.
>MD News 1 Version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/MDNews.txt
the extracted code from this link says:
> # $configfile = "config.php";
> # require $configfile;
and gives a demonstration URL:
> # http://www.victim.com/MD News/latest.php?configfile=Command-Shell
but here, again, the variable is defined to a static value (this
particular source code can be seen from
http://scripts.ringsworld.com/news-publishing/mdnews/latest.php.html)
I did not examine the claims for the other products that were listed
in the original post.
- Steve
[ reply ]