Re: [ECHO_ADV_34$2006] W-Agora (Web-Agora) <= 4.2.0 (inc_dir) Remote File Inclusion

["Steven M. Christey" <coley () mitre org>]

> Successful exploitation requires that "register_globals= Off ".

That seems very strange, doesn't it?

Especially if you look at the source code.

Let's start with search.php, one of the vulnerable vectors:

  <?php

  ...

  require ("init.inc");

and in init.inc:

  require ("globals.inc");

  ...

  require ("$inc_dir/misc_func.$ext");

and in globals.inc:

  if (defined("_GLOBALS")) return;
  define('_GLOBALS', 1);

  ...

  $inc_dir    = 'include';


So - how could an attacker POSSIBLY modify the $inc_dir variable AFTER
it's set to a static value and when register_globals is off?

The answer is dynamic variable evaluation, which I posted about a
couple months ago at:

  http://www.securityfocus.com/archive/1/432828


If we look more closely at globals.inc, later on, we see this:

  if (!get_cfg_var("register_globals") ) {
      include "include/register_globals.$ext";
  }

and then if we look at register_globals.php, we see code like this:

        if (isset($HTTP_GET_VARS)) {
                reset($HTTP_GET_VARS);
                while ( list($var, $val) = each($HTTP_GET_VARS) ) {
                        $$var=$val;
                }
        }

as well as for $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_POST_FILES,
$HTTP_COOKIE_VARS.


This highlights the insidious nature of dynamic evaluation.

So - for those of us who have been questioning vulnerability reports
because we were seeing static values being set in include files - we
need to see if dynamic variable evaluation happens *after* the
variable is set, but *before* it's used.

Nasty, nasty stuff...

- Steve