Bugtraq mailing list archives
Re: II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version)
From: ScriptSlave () gmx net
Date: Sat, 10 May 2003 11:36:37 +0200 (MEST)
SSI.php: ------------------------------------------ include_once ($sourcedir . '/Errors.php'); include_once ($sourcedir . '/Subs.php'); include_once ($sourcedir . '/Load.php'); ------------------------------------------
You should probably quote the lines above this block, too. ------------------------------------------ (Line #031) $full_yabbse_path = '.'; (Line #048) include_once ($full_yabbse_path . '/Settings.php'); ------------------------------------------ and you should quote Settings.php: ------------------------------------------ (Line #067) $sourcedir = "/home/something/board/Sources"; ------------------------------------------ so before Errors.php is included, $sourcedir is *always* set to a value, overwriting any variable that is passed through the URL.
We can define $sourcedir variable through URL and include some other PHP script local or remote if remote inclusion is enabled in php.ini file. Bug in not exploitable if PHP's registar_globals is set to off.
see above - you can't
Add this line before include_once() lines mentioned above. ----cut here---- if (!isset($sourcedir)) $sourcedir = ""; ----cut here----
So you are setting $sourcedir to "" if it isn't set? Whats the point of this? The hole does *not* exist, as the variable $sourcedir is always set to a value. Even if the user did not yet configure YaBB SE, $sourcedir is set to an empty value. -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
Current thread:
- II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version) DownBload (May 09)
- <Possible follow-ups>
- Re: II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version) ScriptSlave (May 10)
- re: II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version) Frog Man (May 12)