BugTraq
Re: Morcego CMS <= 0.9.6 Remote File Inclue Vulnerability Dec 20 2007 08:20PM
antonio antoniocortes com
It's a Fake:

There's the line:

[Line 827] include_once($fichero);

It isn't posible to change the value of this variable with a GET parameter:

function cargar_includes(){

$includes = explode(';', $this -> get_var('includes'));

foreach($includes as $include){

$fichero = $this -> ruta_conf . $include ;

if (!empty($include) && file_exists($fichero)){

include_once($fichero);

}

}

}

In other line

class cls_morcegoCMS {

[...]

function includePHP( $cadena ) {

// quitaremos las / ó \ de $cadena , solo se permitirán archivos que esté en includes

$str_out = '';

$cadena = str_replace( "\\", "/", $cadena );

$cadena = ( strrpos( $cadena, '/') === false ) ? $cadena : substr( $cadena, - ( strrpos ( $cadena, '/') + 2 ));

$fichero = dirname(__FILE__) . '/../' . $cadena ;

if (file_exists( $fichero )){

@ob_start();

@include_once( $fichero);

$str_out = @ob_get_contents();

@ob_end_clean();

}

return $str_out;

}

[...]

I think it's to easy publish a false Vulnerability based on a old and unknow script.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus