[VIM] source verify of foing remote file inclusion

Steven M. Christey coley at mitre.org
Thu Jun 15 23:34:11 EDT 2006


Ref: Foing (manage_songs.php) Remote File Inclusion[phpBB]
     http://www.securityfocus.com/archive/1/archive/1/436793/100/0/threaded

Product is intended for use with phpBB.

Vendor has abandoned the project; http://foing.sourceforge.net/ says
"I'm sorry to say that Foing is dead, and has been so for quite some
time. Version 0.7.0 will most likely be the very last".  0.7.0 was
released in 2003.

anyway, in manage_songs.php, at the very top we have:

  $page_title = 'manage songs';
  include($foing_root_path . 'includes/common.php');

so the remote inclusion is feasible using direct request.

It's not immediately clear where this script is used in the product,
but it's there.

- Steve


More information about the VIM mailing list