Re: JetBox cms (search_function.php) Remote File Include

["Carsten Eilers" <ceilers-lists () gmx de>]

Hi Steve,

Steven M. Christey schrieb am Tue, 29 Aug 2006 19:57:13 -0400:

> Frank Reissner said:
>
> >  //comments
> >  
> >  function phpdigSearch(){
> >  
> >  Line: 423 <?php include $relative_script_path.'/libs/htmlheader.php'
> >  ?>
> >  
> >  ...
> >  }
> >
> > Please explain us how that should be exploited.
>
> While this statement appears to be in a function declaration, there
> would be nested "<?php" tags - a parse error, at least in my PHP 4.

I tested it with PHP 4.3.10 on Mac OS X with Apache 
1.3.33 and the script does nothing. No parse error,
no results. Only a white page.

Local and remote file inclusion tests shows no results,
too.

> So, this code is "live" within the script, somehow.

Maybe. I find it hard to read, some more tabs would
be a got think. :-)

I put a few 'echo "Test ...";'-Lines in the code, that 
one after the last } is the only one wich is executed. 
Bad test, I know, but a "quick$dirty" way to look, which
parts are executed and which not. 

> And, in fact, if we look at the surrounding context (at least for my
> copy of search_function.php), we have this:
>
>        else {
>            $t_strings = array_merge($t_mstrings,$t_fstrings);
>            phpdigParseTemplate($template,$t_strings,$table_results);
>        }
>    }
>    
>    else {
>    ?>
>    <?php include $relative_script_path.'/libs/htmlheader.php' ?>
>    <head>
>    <title><?php print $title_message ?></title>
>    <?php include $relative_script_path.'/libs/htmlmetas.php' ?>
>
>
> Notice the "?>" in front of the include statement, which closes off
> the first bit of executable code.

I'm not sure about the defintion of function-definitions.
In a normal script it's possible to mix <?...?>-PHP-Code
and HTML-Code, for example if there are many HTML-tags which
otherwise hat to be echo'ed in PHP. Is this possible inside
a function-definition? The PHP-Manual says nothing about
this (or I did'nt found it :-) ).

> So, this looks like it could be exploitable using a direct request to
> search_function.php, since at the point of the include, the
> $relative_script_path variable is *not* initialized.

It someway looks like this, yes.

I tried it with no results, but failing tests are no reliable 
proof for non-inclusion.

But I tend to the conclusion, the whole script is really only
one function-definition.

> Finally - the original pathname suggested a possible third party
> module, and in fact, the affected file and referenced code matches
> that of phpDig 1.8.8, so this is probably a vulnerability in phpDig
> instead of Jetbox.

I take a quick look at PhpDig 1.8.8. 
The search_function.php is mostly the same, here we found
a comment:

// $relative_script_path set in search.php file

Tests (remote and local inclusion) shows no effects. But as
above... no proof. 

Regards
  Carsten

-- 
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>