Bugtraq mailing list archives

Re: JetBox cms (search_function.php) Remote File Include

From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 30 Aug 2006 19:12:19 -0400 (EDT)


On Wed, 30 Aug 2006, Carsten Eilers wrote:

Bad test, I know, but a "quick$dirty" way to look, which
parts are executed and which not.


Hey, it works :)

Notice the "?>" in front of the include statement, which closes off
the first bit of executable code.


I'm not sure about the defintion of function-definitions.
In a normal script it's possible to mix <?...?>-PHP-Code
and HTML-Code, for example if there are many HTML-tags which
otherwise hat to be echo'ed in PHP. Is this possible inside
a function-definition? The PHP-Manual says nothing about
this (or I did'nt found it :-) ).


Yes, this is possible, now that I've looked more closely.

1) A function definition can cross multiple <?php> tags

2) Because of (1), not every <?php> tag will be 'executed' at the moment
   of loading, if it's enclosed within a function definition.  The
   affected include statement was isolated within its own <?php> tag,
   which made it seem like it might execute upon loading.

3) You can have also HTML within that function definition, which will be
   printed out when the function is called, not when it is being parsed.

These interesting properties were what confused me.

So, this looks like it could be exploitable using a direct request to
search_function.php, since at the point of the include, the
$relative_script_path variable is *not* initialized.


It someway looks like this, yes.


It looks like this, but the include does fall within the scope of the
function definition, once you merge all the <?php> constructs together.

So, this does not look exploitable.

But I tend to the conclusion, the whole script is really only
one function-definition.


I agree.

- Steve

P.S.  Here is some demonstration code to highlight some of what I
mentioned here.

=======================================================

... at the beginning of the file ...<br>
... begin definition for abc() - fragment 1 ...<br>
<?php
function abc () {
  echo "... executing first statement in abc() ...<br>";
?>
<b>... this HTML is within abc()'s definition  and will only be printed
out when abc() is called, not when this file is loaded.  Notice how
this HTML appears AFTER the "calling abc()" string in
the web output, but it appears BEFORE that string in the raw
source...<br></b>
... finishing abc() - closing brace - fragment 2 ...<br>
<?php
  echo "... executing last statement in abc() ...<br>";
}
?>
... more HTML cruft between php tags ...<br>
<?php echo "... calling abc() ...<br>"; abc(); ?>
... at the end of the file ...<br>

Current thread:

Re: AW: JetBox cms (search_function.php) Remote File Include Steven M. Christey (Aug 30)
- Re: JetBox cms (search_function.php) Remote File Include Carsten Eilers (Aug 30)
  - Re: JetBox cms (search_function.php) Remote File Include Steven M. Christey (Aug 31)
- AW: AW: JetBox cms (search_function.php) Remote File Include Frank Reißner (Aug 31)