[geeklog-devel] 1.5 Installer stuff

Blaine Lang devel at portalparts.com
Thu Oct 11 23:06:37 EDT 2007


Joe Mucchiello wrote:
> Example: 
> http://example.com/geeklog/languages/english.php?_CONF[site_admin_url]=http://evil.com 
>
It  may be just late for me but I will ask the question anyways. What 
vulnerability does the above create - as this is very different then a 
remote file include vulnerbility. If someone wants to run english.php 
and change $_CONF['site_admin_url'] - what are they going to harm or see 
happen?

This is an issue in library files that have stmts like
 include($_CONF['site_url'] . '/myplugin/myfile.php') and someone passes 
in a new value for $_CONF['site_url']
 Not an issue if said file does an include of lib-common.php as that 
sets $_CONF and over-rides any passed in parm values.
** above noted for background **

BTW: Adding the extra security test is a good idea and good practice - 
just exploring what you see as the exposed exploit.

Blaine





More information about the geeklog-devel mailing list