[pmwiki-users] pmwiki exploit

Nils Knappmeier nk at knappi.org
Tue Sep 5 07:17:48 CDT 2006


Hi,

I verified it, and it really works. Appearently, PHP does have a problem
unsetting variables under some circumstances. Actually, the following
statement at the beginning of pmwiki.php should prevent such an attack:

if (ini_get('register_globals'))
  foreach($_REQUEST as $k=>$v) {
    if
(preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION)$/i', 

$k)) exit();
    unset(${$k});
  }

But due to the PHP problems, it does not really work. The exploit uses
this problem to set the value of $FarmD, which is used in several
include-Statements. It "includes" a PHP file from a remote server which
is then executed on the local PmWiki installation and can execute
arbitrary commands.

I think the problem can be solved by inserting

   ${$k} = "";

directly above the line "unset(${$k})". In this case, if someone tries
to inject a false $FarmD, it will be set to an empty string.

Nils

PS: I'd feel bad sending the exploit over this list, but if anyone wants
to see it and has trouble finding it, I can point you to the URL.







More information about the pmwiki-users mailing list