Re: REMOTE FILE INCLUSION ( ALL )

To: SpC-x@xxxxxxxxxxx
Subject: Re: REMOTE FILE INCLUSION ( ALL )
From: "Steven M. Christey" <coley@xxxxxxxxx>
Date: Wed, 14 Jun 2006 02:33:06 -0400 (EDT)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

This post appears to have some errors.

What PHP version, environment, and operating system did you use to
test this?  Did you use a real web site, or did you just look at the
source code?

When a variable is used in a require or include statement, you must
make sure that the variable can be controlled by an attacker.  If the
variable is set to a fixed value, or it can only be changed by the
administrator, then it probably is not a vulnerability.

>CzarNews v1.14 Version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/CzarNews.txt

If you search google.com for "CzarNews," then the 4th item is a
Secunia advisory for exactly the same vulnerability, which is
attributed to brOmstar and first announced sometime in March 2005.
That was not mentioned here.

>Simpnews <= All version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/Simpnews.txt

It will be interesting to see the answer to str0ke's question about
this problem, since the source code suggests that there is no
vulnerability.

>phphg Guestbook Signed.PHP - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/phphgGuestbook.txt

The original source code as quoted from this advisory says:

> # $phphg_real_path = "./";
> # include($phphg_real_path . 'common.php');

which doesn't seem exploitable as presented, since $phphg_real_path is
set to a static value that is not controlled by an attacker.

>Flog 1.1.2 Version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/Flog.txt

this link gives the code example:

> # $FLog_dir_include = 'include/';
> ...
> require_once($FLog_dir_include.'core.inc.php');

and, again, the variable is set to a static value.

>wheatblog 1.0 Version - "wb_inc_dir" Parameter File Inclusion
>Vulnerability
>
>Link : http://www.root-security.org/danger/wheatblog.txt

which says:

> # require_once('./settings.php');
> ...
> # include_once("$wb_inc_dir/header.php");
> ...
># http://www.victim.com/wheatblog/view_links.php?wb_inc_dir=Command-Shell

view_links.php does not define $wb_inc_dir, but if we look at
settings.php, we have:

>       $wb_dir =               '/www/wheatblog';  
>       $wb_inc_dir   = "$wb_dir/includes";

So, if the administrator sets $wb_dir to a fixed value, then
$wb_inc_dir cannot be controlled by an attacker.

>MD News 1 Version - Remote File Include Vulnerabilities
>
>Link : http://www.root-security.org/danger/MDNews.txt

the extracted code from this link says:

> # $configfile = "config.php";
> # require $configfile;

and gives a demonstration URL:

> # http://www.victim.com/MD News/latest.php?configfile=Command-Shell

but here, again, the variable is defined to a static value (this
particular source code can be seen from
http://scripts.ringsworld.com/news-publishing/mdnews/latest.php.html)


I did not examine the claims for the other products that were listed
in the original post.

- Steve

Prev by Date: wbb<<--v 2.2.2 "thread.php" SQL injection
Next by Date: wbb<<--v 2.2.1 "studienplatztausch.php" SQL injection
Previous by thread: REMOTE FILE INCLUSION ( ALL )
Next by thread: Re: REMOTE FILE INCLUSION ( ALL )
Index(es):
- Date
- Thread