[VIM] snif RFI curiosity

str0ke str0ke at milw0rm.com
Mon Dec 4 09:21:09 EST 2006


Confirmed fake.  Removing it now.

/str0ke

On 12/4/06, George A. Theall <theall at tenablesecurity.com> wrote:
> Steven M. Christey wrote:
>
> > Ref: http://www.milw0rm.com/exploits/2868
> ...
> > While $_GET is cleansed in a way that feels funny on line 1215, there
> > is no apparent dynamic variable evaluation, include/require, or eval
> > in between the two lines.
>
> I don't think it's valid. The code you refer to only cleans the $_GET
> array and $externalConfig is never set other than in the one spot where
> it's hardcoded to "" as you noted.
>
>
> George
> --
> theall at tenablesecurity.com
>


More information about the VIM mailing list