[VIM] Source VERIFY of MyABraCaDaWeb file inclusion
Steven M. Christey
coley at mitre.org
Tue Sep 12 11:34:22 EDT 2006
Ref: http://www.milw0rm.com/exploits/2335
Using the vendor URL provided in the origin disclosure, I got version
1.0.3, which is dated from March 2003 by the way. In index.php, we
have source code such as:
DEFINE(_base, "./"); // Base du script
DEFINE(_classPath, $base."classes/"); // Chemin des classes
DEFINE(_functionPath, $base."fonctions/"); // Chemin des fonctions
DEFINE(_imagePath, $base."images/");
...
include (_classPath."vtemplate.class.php");
include (_classPath."mysql.class.php");
...
include (_functionPath."main.php");
Other variables are defined and used in include statements, but they
are all built from $base.
Looks like the developer didn't quite do what they intended... _base
is not used anywhere else in index.php.
- Steve
More information about the VIM
mailing list