Re: [ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion
>Successful exploitation requires that "register_globals= Off ".
That seems very strange, doesn't it?
Especially if you look at the source code.
Let's start with search.php, one of the vulnerable vectors:
<?php
...
require ("init.inc");
and in init.inc:
require ("globals.inc");
...
require ("$inc_dir/misc_func.$ext");
and in globals.inc:
if (defined("_GLOBALS")) return;
define('_GLOBALS', 1);
...
$inc_dir = 'include';
So - how could an attacker POSSIBLY modify the $inc_dir variable AFTER
it's set to a static value and when register_globals is off?
The answer is dynamic variable evaluation, which I posted about a
couple months ago at:
http://www.securityfocus.com/archive/1/432828
If we look more closely at globals.inc, later on, we see this:
if (!get_cfg_var("register_globals") ) {
include "include/register_globals.$ext";
}
and then if we look at register_globals.php, we see code like this:
if (isset($HTTP_GET_VARS)) {
reset($HTTP_GET_VARS);
while ( list($var, $val) = each($HTTP_GET_VARS) ) {
$$var=$val;
}
}
as well as for $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_POST_FILES,
$HTTP_COOKIE_VARS.
This highlights the insidious nature of dynamic evaluation.
So - for those of us who have been questioning vulnerability reports
because we were seeing static values being set in include files - we
need to see if dynamic variable evaluation happens *after* the
variable is set, but *before* it's used.
Nasty, nasty stuff...
- Steve