[VIM] snif RFI curiosity
George A. Theall
theall at tenablesecurity.com
Mon Dec 4 05:41:49 EST 2006
Steven M. Christey wrote:
> Ref: http://www.milw0rm.com/exploits/2868
...
> While $_GET is cleansed in a way that feels funny on line 1215, there
> is no apparent dynamic variable evaluation, include/require, or eval
> in between the two lines.
I don't think it's valid. The code you refer to only cleans the $_GET
array and $externalConfig is never set other than in the one spot where
it's hardcoded to "" as you noted.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list