[VIM] snif RFI curiosity

George A. Theall theall at tenablesecurity.com
Mon Dec 4 05:41:49 EST 2006

Steven M. Christey wrote:

> Ref: http://www.milw0rm.com/exploits/2868
> While $_GET is cleansed in a way that feels funny on line 1215, there
> is no apparent dynamic variable evaluation, include/require, or eval
> in between the two lines.

I don't think it's valid. The code you refer to only cleans the $_GET 
array and $externalConfig is never set other than in the one spot where 
it's hardcoded to "" as you noted.

theall at tenablesecurity.com

More information about the VIM mailing list