[VIM] net2ftp: a web based FTP client :) <= Remote File Inclusion (fwd)
Steven M. Christey
coley at linus.mitre.org
Mon Oct 9 15:53:34 EDT 2006
Just to make the plot thicker:
http://www.net2ftp.org/forums/viewtopic.php?pid=6687
The vendor says "These reports are based on net2ftp versions 0.60 to 0.62,
which were released more than 3 years ago, in May-July 2003.
The newer versions of net2ftp are not vulnerable to a remote file
inclusion."
Then the code for admin/index.php (not the original index.php) is
apparently listed.
It's not clear whether the vendor is actually acknowledging the issue, or
just saying "the newer versions don't have it."
I sucked it up, registered, and posted the following inquiry:
Hello, I am the lead for the CVE vulnerability project. We assigned
CVE-2006-5097 to this issue.
Isn't $application_rootdir already defined in "settings.inc.php", which
is included by index.php? So how could an attacker actually modify
$application_rootdir ? It's not clear to me where the vulnerability is.
- Steve
More information about the VIM
mailing list