This post appears to have some errors. What PHP version, environment, and operating system did you use to test this? Did you use a real web site, or did you just look at the source code? When a variable is used in a require or include statement, you must make sure that the variable can be controlled by an attacker. If the variable is set to a fixed value, or it can only be changed by the administrator, then it probably is not a vulnerability. >CzarNews v1.14 Version - Remote File Include Vulnerabilities > >Link : http://www.root-security.org/danger/CzarNews.txt If you search google.com for "CzarNews," then the 4th item is a Secunia advisory for exactly the same vulnerability, which is attributed to brOmstar and first announced sometime in March 2005. That was not mentioned here. >Simpnews <= All version - Remote File Include Vulnerabilities > >Link : http://www.root-security.org/danger/Simpnews.txt It will be interesting to see the answer to str0ke's question about this problem, since the source code suggests that there is no vulnerability. >phphg Guestbook Signed.PHP - Remote File Include Vulnerabilities > >Link : http://www.root-security.org/danger/phphgGuestbook.txt The original source code as quoted from this advisory says: > # $phphg_real_path = "./"; > # include($phphg_real_path . 'common.php'); which doesn't seem exploitable as presented, since $phphg_real_path is set to a static value that is not controlled by an attacker. >Flog 1.1.2 Version - Remote File Include Vulnerabilities > >Link : http://www.root-security.org/danger/Flog.txt this link gives the code example: > # $FLog_dir_include = 'include/'; > ... > require_once($FLog_dir_include.'core.inc.php'); and, again, the variable is set to a static value. >wheatblog 1.0 Version - "wb_inc_dir" Parameter File Inclusion >Vulnerability > >Link : http://www.root-security.org/danger/wheatblog.txt which says: > # require_once('./settings.php'); > ... > # include_once("$wb_inc_dir/header.php"); > ... ># http://www.victim.com/wheatblog/view_links.php?wb_inc_dir=Command-Shell view_links.php does not define $wb_inc_dir, but if we look at settings.php, we have: > $wb_dir = '/www/wheatblog'; > $wb_inc_dir = "$wb_dir/includes"; So, if the administrator sets $wb_dir to a fixed value, then $wb_inc_dir cannot be controlled by an attacker. >MD News 1 Version - Remote File Include Vulnerabilities > >Link : http://www.root-security.org/danger/MDNews.txt the extracted code from this link says: > # $configfile = "config.php"; > # require $configfile; and gives a demonstration URL: > # http://www.victim.com/MD News/latest.php?configfile=Command-Shell but here, again, the variable is defined to a static value (this particular source code can be seen from http://scripts.ringsworld.com/news-publishing/mdnews/latest.php.html) I did not examine the claims for the other products that were listed in the original post. - Steve
