[VIM] probably false: pfa RFI
Steven M. Christey
coley at mitre.org
Wed May 9 16:55:01 UTC 2007
Researcher: iLker Kandemir
Ref: BUGTRAQ pfa CMS v6.0 (index.php repinc) Remote File Include Vulnerability
http://www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded
index.php starts with:
session_start(); //démarrage de la session
require('config.inc.php'); //on inclu le fichier de configuration
require($repinc.'functions.inc.php'); //on inclu les fonctions
All together now! config.inc.php contains:
$repinc = 'include/';
I say "probably" because there are lots of other includes. However,
this is the only place where $repinc is set, and grep doesn't show any
evidence of dynamic variable evaluation or extract calls.
- Steve
More information about the VIM
mailing list