It has come to our attention that someone named Hasadya Raed
has posted reports of remote include vulnerability in SPAW Editor PHP Edition version 1.2.4 in numerous places on the web (or at least they were copied from some source) like this

The report states that the file img_library.php is vulnerable because
it includes following lines:

include $spaw_root.’class/util.class.php’;
include $spaw_root.’class/lang.class.php’;

Since he found these lines he should have noticed that right above
them there’s a line like this:

include ‘../config/spaw_control.config.php’;

And any working copy of SPAW Editor MUST HAVE the file config/spaw_control.config.php and almost at the beginning of that
file there’s a line

$spaw_root = realpath(dirname(__FILE__).”/..”);

which defines $spaw_root variable which is later used in the lines stated as vulnerable.

While we accept that there is a very theoretic possibility that somebody just extracts SPAW’s archive into some directory and then don’t even tries to configure it but exposes this “installation” to the world and has register_globals set to “on”, we believe that this situation is so unlikely that it doesn’t deserve to be claimed as security threat and be spread all over security-related web sites.

We haven’t received any comments from Hasadya Raed so far. I will update this post if there are developments on this matter.

This entry was posted on Friday, March 9th, 2007 at 12:57 pm and is filed under SPAW Editor. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.