On Tue, 21 Aug 2007, 3APA3A wrote: > 6. Ivan Niiiil (http://uNkn0wn.eu) reports vulnerabilities in > Linkliste 1.2, Butterfly online vistors counter 1.08, mcLinksCounter > 1.2, My_REFERER 1.08. > > Original messages in English are available from > http://securityvulns.com/source26994.html This issue, originally reported in CVE-2006-4863 for 1.1, was disputed by CVE and another party because langfile was set to a hard-coded value (english.php) before the include statement. For 1.2, there's a different hard-coded value (french.php) but the issue seems to be the same. From stats.php in 1.2 we have: include "mclc.php"; include "$langfile"; and mclc.php has the interesting idiom: if (!empty($_GET)) { extract($_GET, EXTR_OVERWRITE); } whose security implications should be immediately apparent to PHP aficionados everywhere. (I refer to this as a "variable extraction error", CWE-621). However, after this code, we have: $langfile="french.php"; french.php itself has no include/require code. So, if this issue is legitimate, it would be useful to know how this exploit works. Thanks, Steve
