[VIM] PHP file inclusions in PHP Developer Library 1.5.3 (some disputed)
Heinbockel, Bill
heinbockel at mitre.org
Mon Oct 23 09:43:26 EDT 2006
In the past 2 weeks there have been 3 separate issues
involving the Softerra PHP Developer Library 1.5.3:
(1) http://www.milw0rm.com/exploits/2511
(2) http://www.milw0rm.com/exploits/2520
(3) BUGTRAQ:20061020 PHPLibrary-1.5.3(Description.php) Remote File
Include
http://www.securityfocus.com/archive/1/archive/1/449355/100/0/threaded
Upon brief source code inspection, the first two appear to be
legitimate.
DISPUTED
The third issue, appears to be a lack of research on
the part of the reporter (due to grep or Google Code Search).
The distribution as of 20061023 does not contain a file called
Description.php. It does, however, contain a Description file
(no file extension) which does contain the reported line (line 253):
> include ($lib_dir . "sqlstorage.class.php");
However there is no clear way to get this file to be handled by the
PHP interpreter (mod_php or similar).
William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list