[VIM] Help Center Live

George A. Theall theall at tenablesecurity.com
Wed Aug 2 11:58:55 EDT 2006


I don't know if anyone's looked into this yet, but the flaw in Help
Center Live reported by Dr. Google (see BID 19256) is a local file
include flaw, not just a directory traversal. It is also closely related
to an earlier flaw, covered by BID 15404. To fix that issue, the code in
'templates/*/module.tpl' was changed from:

  include_once(dirname(__FILE__).'/../../..'.addslashes($_GET['file']));

to this:

  if (!strpos($_GET['file'], '..')) {
    include_once(dirname(__FILE__).'/../../..'.addslashes($_GET['file']));
  ...

Trouble is, strpos() returns 0 if 'file' starts with ".." so the code
change only partially resolved the earlier issue.

George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list