[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200610102330.k9ANUFuO029469@faron.mitre.org>
Date: Tue, 10 Oct 2006 19:30:15 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: str0ke@...w0rm.com, xp1o@....com
Cc: bugtraq@...urityfocus.com
Subject: Re: The latest version of iSearch is V2.16 <= (index.php) Remote File Inclusion Exploit
str0ke said:
>index.php seems patched to me.
The following code was in 2.15, which also suggests that the issue
might not exist, at least for index.php:
$isearch_path = '.';
define('IN_ISEARCH', true);
require_once "$isearch_path/inc/core.inc.php";
require_once "$isearch_path/inc/search.inc.php";
However, there are other uses of $isearch_path later on in the code
(again, 2.15):
include("$isearch_path/inc/header.inc.php");
...
require_once "$isearch_path/inc/form_internal.inc.php";
...
include "$isearch_path/inc/footer.inc.php";
So, we might want to look into inc/core.inc.php and other include
files for evidence of dynamic variable evaluation or other
functionality that could overwrite $isearch_path for the later
include/require invocations.
Unfortunately, core.inc.php is encoded with the statement "This file
is protected by copyright law and provided under license. Reverse
engineering of this file is strictly prohibited."
At this point, the original report is not provably erroneous without
doing the base64-decode of the protected file and peeking in. But
since this post is about technical accuracy and not legal matters,
I'll stop there.
- Steve
Powered by blists - more mailing lists