Vim backup Source Disclosure Vulnerability

[Chris Gragsone <maetrics () realwarp net>]

Vim backup Source Disclosure Vulnerability
by Chris Gragsone
Foot Clan

Date: December 27, 2001
Advisory ID: Foot-20011227
Impact of vulnerability: Source Disclosure
Exploitable: Remote
Maximum Risk: Moderate

Affected Software:
Vim

Vulnerability Description:

Vim is an improved version of the editor "vi", one of the standard text 
editors on UNIX systems. Vim includes a 'backup' option, that once set 
Vim renames the original file before it is overwritten. A malicous user 
can request the backup name for the script bypassing the server side 
processing and disclouse the script's source code.

In Vim 3.0 and earlier, the 'backup' option is set by default, and the 
originial file is renamed to a filename appended with '.bak'. This 
option is disabled by default in Vim 4.0 and later. However, if enabled 
the original file is renamed to a filename appended with '~'. In each 
case the backup file keeps the original permissions

This is not a software bug rather a misconfiguration or administrative 
oversight. The specific request involved with this vulnerability cannot 
belong to a legitimate connection. This vulnerability has been tested 
with PHP4 on Apache, but should affect all other scripts which are 
routinely edited in the manner.

Vulnerability Reproduction:
with Vim 4.0 and later: http://footclan.realwarp.net/passwd.php~
with Vim 3.0 and earlier: http://footclan.realwarp.net/passwd.php.bak

References:
http://www.vim.org/

Contact:
http://footclan.realwarp.net/
Chris Gragsone (maetrics () realwarp net)

Disclaimer:
The contents of this advisory are copyright (c)2001 Foot Clan and may be 
distributed freely provided that no fee is charged for this distribution 
and proper credit is given.