Re: BOGUS: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include

[Mailinglists Address <mailinglist () expresshosting net>]

<snip class="drivel">
> file ;
> index.php
> sources/usercp.php
> sources/admin.php
>
> ########################################################################
>
> bugs ;
>
> require_once("{$CONF['path']}/sources/misc/classes.php");
>
>
> ########################################################################
> exp;
> /atsphp-5.0.1/index.php?CONF[path]=evilcode?
> /atsphp-5.0.1/sources/usercp.php?CONF[path]=evilcode?
> /atsphp-5.0.1/sources/admin.php?CONF[path]=evilcode?
>
> ########################################################################
>   
</snip>

in the index.php the $CONF['path'] variable is overwritten on line 20,
with line 26 being the require_once() call:

$CONF['path'] = '.';

This same line also is applied in the following file(s):

ssi.php
captcha.php
button.php
install/index.php
install/upgrade.php

in the source/user_cp.php file (incorrectly noted as usercp.php):
since the referenced require_once is enclosed in a class it is
impossible to instance this class and subsequently call the
require_once() on line 29.

in the source/admin.php file:
the same applies to this file as the require_once() are encapsulated
within a class that can not be instanced.

Tom Walsh
Express Web Systems, Inc.