lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 22 Aug 2007 18:16:35 -0400 (EDT)
From: "Steven M. Christey" <>
To: 3APA3A <>
Subject: Re: Vulnerabilities digest

On Tue, 21 Aug 2007, 3APA3A wrote:

>   6.   Ivan   Niiiil  (  reports  vulnerabilities  in
>   Linkliste  1.2,  Butterfly online vistors counter 1.08, mcLinksCounter
>   1.2, My_REFERER 1.08.
>   Original messages in English are available from

This issue, originally reported in CVE-2006-4863 for 1.1, was disputed by
CVE and another party because langfile was set to a hard-coded value
(english.php) before the include statement.

For 1.2, there's a different hard-coded value (french.php) but the issue
seems to be the same.  From stats.php in 1.2 we have:

  include "mclc.php";
  include "$langfile";

and mclc.php has the interesting idiom:

  if (!empty($_GET)) { extract($_GET, EXTR_OVERWRITE); }

whose security implications should be immediately apparent to PHP
aficionados everywhere.  (I refer to this as a "variable extraction
error", CWE-621).

However, after this code, we have:


french.php itself has no include/require code.

So, if this issue is legitimate, it would be useful to know how this
exploit works.


Powered by blists - more mailing lists