Re: PHP Event Calendar 1.5.1 (index.php) Remote File Include Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PHP Event Calendar 1.5.1 (index.php) Remote File Include Vulnerability

Subject: Re: PHP Event Calendar 1.5.1 (index.php) Remote File Include Vulnerability
Date: Wed, 29 Nov 2006 16:43:01 -0500
From: Stuart Moore <suppressed>

Systems that install 1.5.1 (fresh install rather than upgrade) shouldnot be vulnerable.


"philip anselmo" wrote:

Vulnerable Code:
***************
include $path_to_calendar."calendar.php";



Looking at the few lines prior to that:

  extract($HTTP_GET_VARS);
  if(suppressed './data/global.php'){
	  echo "Can't open ./data/global.php";
	  exit;
  }

  extract($PATHS);
  include $path_to_calendar."calendar.php";


After successfully running 'install.php', the 'data/global.php' file
will contain something like this:

  $PATHS=array(
  "path_to_calendar" => "/[blah]/cl_files/",
  "path_to_calendar_img" => "/[blah]/cl_files/img/",
  "WEB_path_to_calendar_img" => "http://[site]/[blah]/cl_files/img/";,
  "path_to_data" => "/[blah]/cl_files/data/"
  );

The include statement will use "/[blah]/cl_files/" instead of theuser-supplied parameter in $HTTP_GET_VARS.


And, indeed, testing confirms that the static parameter is used and that
the reported exploit URL does not work.

Systems that have been upgraded from an earlier version in an improper
manner may be a different story.

Stuart

Prev by Date: [Aria-Security Team] FipsSHOP SQL Injection
Next by Date: [USN-388-1] KOffice vulnerability
Previous by thread: PHP Event Calendar 1.5.1 (index.php) Remote File Include Vulnerability
Next by thread: ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.