Re: Vulnerabilities digest

On Tue, 21 Aug 2007, 3APA3A wrote:

> 6. Ivan Niiiil (http://uNkn0wn.eu) reports vulnerabilities in
> Linkliste 1.2, Butterfly online vistors counter 1.08, mcLinksCounter
> 1.2, My_REFERER 1.08.
>
> Original messages in English are available from
> http://securityvulns.com/source26994.html

This issue, originally reported in CVE-2006-4863 for 1.1, was disputed by CVE and another party because langfile was set to a hard-coded value (english.php) before the include statement.

For 1.2, there's a different hard-coded value (french.php) but the issue seems to be the same. From stats.php in 1.2 we have:

  include "mclc.php";
  include "$langfile";

and mclc.php has the interesting idiom:

  if (!empty($_GET)) { extract($_GET, EXTR_OVERWRITE); }

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

whose security implications should be immediately apparent to PHP aficionados everywhere. (I refer to this as a "variable extraction error", CWE-621).

However, after this code, we have:

         $langfile="french.php";

french.php itself has no include/require code.

So, if this issue is legitimate, it would be useful to know how this exploit works.

Thanks,
Steve Received on Wed Aug 22 18:31:13 2007