Vim backup Source Disclosure Vulnerability by Chris Gragsone Foot Clan Date: December 27, 2001 Advisory ID: Foot-20011227 Impact of vulnerability: Source Disclosure Exploitable: Remote Maximum Risk: Moderate Affected Software: Vim Vulnerability Description: Vim is an improved version of the editor "vi", one of the standard text editors on UNIX systems. Vim includes a 'backup' option, that once set Vim renames the original file before it is overwritten. A malicous user can request the backup name for the script bypassing the server side processing and disclouse the script's source code. In Vim 3.0 and earlier, the 'backup' option is set by default, and the originial file is renamed to a filename appended with '.bak'. This option is disabled by default in Vim 4.0 and later. However, if enabled the original file is renamed to a filename appended with '~'. In each case the backup file keeps the original permissions This is not a software bug rather a misconfiguration or administrative oversight. The specific request involved with this vulnerability cannot belong to a legitimate connection. This vulnerability has been tested with PHP4 on Apache, but should affect all other scripts which are routinely edited in the manner. Vulnerability Reproduction: with Vim 4.0 and later: http://footclan.realwarp.net/passwd.php~ with Vim 3.0 and earlier: http://footclan.realwarp.net/passwd.php.bak References: http://www.vim.org/ Contact: http://footclan.realwarp.net/ Chris Gragsone (maetrics@realwarp.net) Disclaimer: The contents of this advisory are copyright (c)2001 Foot Clan and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
