[geeklog-devel] 1.5 Installer stuff
Blaine Lang
devel at portalparts.com
Thu Oct 11 23:06:37 EDT 2007
Joe Mucchiello wrote:
> Example:
> http://example.com/geeklog/languages/english.php?_CONF[site_admin_url]=http://evil.com
>
It may be just late for me but I will ask the question anyways. What
vulnerability does the above create - as this is very different then a
remote file include vulnerbility. If someone wants to run english.php
and change $_CONF['site_admin_url'] - what are they going to harm or see
happen?
This is an issue in library files that have stmts like
include($_CONF['site_url'] . '/myplugin/myfile.php') and someone passes
in a new value for $_CONF['site_url']
Not an issue if said file does an include of lib-common.php as that
sets $_CONF and over-rides any passed in parm values.
** above noted for background **
BTW: Adding the extra security test is a good idea and good practice -
just exploring what you see as the exposed exploit.
Blaine
More information about the geeklog-devel
mailing list