Re: phpMyConferences <= 8.0.2 Remote File Inclusion

To: mfp.c@xxxxxxxxxxx
Subject: Re: phpMyConferences <= 8.0.2 Remote File Inclusion
From: "Steven M. Christey" <coley@xxxxxxxxx>
Date: Thu, 2 Nov 2006 21:00:36 -0500 (EST)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

mfp.c,

In 8.0.2, the surrounding code for this bug is:

  function insert_cached_module($module_desc)
  {
      ...
      global $lvc_modules_dir;
      ...
      if (!$gloaded_modules[$module_name])
          {
              include($lvc_modules_dir.'/'.$module_name.'.module.php');


Since this include is within a function definition, the claimed
exploit (direct request to library.inc.php) should not work.

I'm unclear on whether a global declaration for a variable within a
function definition is sufficient to override initialization from
things like GET requests, but at best, the direct request to
library.inc.php appears erroneous.

Were you able to get an exploit to work?

- Steve

Prev by Date: EUSecWest/London CFP extended to Nov. 7
Next by Date: [ MDKSA-2006:196 ] - Updated php packages to address buffer overflow issue
Previous by thread: phpMyConferences <= 8.0.2 Remote File Inclusion
Next by thread: SpamOborona PHPBB Plugin Remote File Include Vulnerability
Index(es):
- Date
- Thread