BugTraq
Vulnerabilities digest Aug 21 2007 07:36PM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)
Re: Vulnerabilities digest Aug 22 2007 10:16PM
Steven M. Christey (coley linus mitre org)

On Tue, 21 Aug 2007, 3APA3A wrote:

> 6. Ivan Niiiil (http://uNkn0wn.eu) reports vulnerabilities in
> Linkliste 1.2, Butterfly online vistors counter 1.08, mcLinksCounter
> 1.2, My_REFERER 1.08.
>
> Original messages in English are available from
> http://securityvulns.com/source26994.html

This issue, originally reported in CVE-2006-4863 for 1.1, was disputed by
CVE and another party because langfile was set to a hard-coded value
(english.php) before the include statement.

For 1.2, there's a different hard-coded value (french.php) but the issue
seems to be the same. From stats.php in 1.2 we have:

include "mclc.php";
include "$langfile";

and mclc.php has the interesting idiom:

if (!empty($_GET)) { extract($_GET, EXTR_OVERWRITE); }

whose security implications should be immediately apparent to PHP
aficionados everywhere. (I refer to this as a "variable extraction
error", CWE-621).

However, after this code, we have:

$langfile="french.php";

french.php itself has no include/require code.

So, if this issue is legitimate, it would be useful to know how this
exploit works.

Thanks,
Steve

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus