it's not an inclusion bug, it is an fopen()/file corruption bug, this is the
vulnerable code in xarMLSXML2PHPBackend.php:
...
function create($ctxType, $ctxName)
{
assert('!empty($this->baseDir)');
assert('!empty($this->baseXMLDir)');
$this->fileName = $this->baseDir;
$this->xmlFileName = $this->baseXMLDir;
if (!ereg("^[a-z]+:$", $ctxType)) {
list($prefix,$directory) = explode(':',$ctxType);
if ($directory != "") {
$this->fileName .= $directory . "/";
$this->xmlFileName .= $directory . "/";
}
}
$dirForMkDir = $this->fileName;
if (!file_exists($dirForMkDir)) xarMLS__mkdirr($dirForMkDir, 0777);
$this->fileName .= $ctxName . ".php";
$this->xmlFileName .= $ctxName . ".xml";
$xmlFileExists = false;
if (file_exists($this->xmlFileName)) {
if (!($fp1 = fopen($this->xmlFileName, "r"))) {
xarLogMessage("Could not open XML input: ".$this->xmlFileName);
}
$data = fread($fp1, filesize($this->xmlFileName));
fclose($fp1);
$xml_parser = xml_parser_create();
xml_parse_into_struct($xml_parser, $data, $vals, $index);
xml_parser_free($xml_parser);
$xmlFileExists = true;
} else {
xarLogMessage("MLS Could not find XML input: ".$this->xmlFileName);
}
$fp2 = @fopen ($this->fileName, "w" );
if ($fp2 !== false) {
fputs($fp2, '<?php'."\n");
fputs($fp2, 'global $xarML_PHPBackend_entries;'."\n");
fputs($fp2, 'global $xarML_PHPBackend_keyEntries;'."\n");
if ($xmlFileExists) {
foreach ($vals as $node) {
if (!array_key_exists('tag',$node)) continue;
if (!array_key_exists('value',$node)) $node['value'] = '';
if ($node['tag'] == 'STRING') {
$node['value'] = str_replace('\'', '\\\'',
$node['value']);
$start =
'$xarML_PHPBackend_entries[\''.$node['value']."']";
} elseif ($node['tag'] == 'KEY') {
$node['value'] = str_replace('\'', '\\\'',
$node['value']);
$start =
'$xarML_PHPBackend_keyEntries[\''.$node['value']."']";
} elseif ($node['tag'] == 'TRANSLATION') {
if ($this->outCharset != 'utf-8') {
$node['value'] =
$GLOBALS['xarMLS_newEncoding']->convert($node['value'], 'utf-8',
$this->outCharset, 0);
}
$node['value'] = str_replace('\'', '\\\'',
$node['value']);
if (!empty($node['value'])) {
fputs($fp2, $start . " = '".$node['value']."';\n");
}
}
}
}
fputs($fp2, "?>");
fclose($fp2);
} else {
xarLogMessage("Could not create file: ".$this->fileName);
global $xarML_PHPBackend_entries;
global $xarML_PHPBackend_keyEntries;
if ($xmlFileExists) {
foreach ($vals as $node) {
if (!array_key_exists('tag',$node)) continue;
if (!array_key_exists('value',$node)) $node['value'] = '';
if ($node['tag'] == 'STRING') {
$node['value'] = str_replace('\'', '\\\'',
$node['value']);
$entryIndex = $node['value'];
$entryType = 'string';
} elseif ($node['tag'] == 'KEY') {
$node['value'] = str_replace('\'', '\\\'',
$node['value']);
$entryIndex = $node['value'];
$entryType = 'key';
} elseif ($node['tag'] == 'TRANSLATION') {
if ($this->outCharset != 'utf-8') {
$node['value'] =
$GLOBALS['xarMLS_newEncoding']->convert($node['value'], 'utf-8',
$this->outCharset, 0);
}
$node['value'] = str_replace('\'', '\\\'',
$node['value']);
if ($entryType == 'string') {
$xarML_PHPBackend_entries[$entryIndex] =
$node['value'];
} elseif ($entryType == 'key') {
$xarML_PHPBackend_keyEntries[$entryIndex] =
$node['value'];
}
}
}
}
}
return true;
}
}
?>
however, this is my proof of cocept exploit:
http://www.milw0rm.com/id.php?id=1345
