[VIM] [Full-disclosure] bug in oscomerce

security curmudgeon jericho at attrition.org
Mon Jun 19 02:46:47 EDT 2006


: I've been spending too much time investigating this issue, so I gotta 
: stop.  But figured I'd forward it to VIM if someone else wants to 
: investigate.  Since I don't have a conclusion I'll leave it off Bugtraq.
: 
: Is there a reason the original post didn't make it into any vuln dbs?

I can't find the reference, but I could have sworn this is a) intended 
functionality and b) requires authentication.

However, since the original post, OSVDB has included such issues if a web 
application admin can edit a .php file to include arbitrary code that 
would be executed on the server. Just because I have privilege to admin a 
blog, doesn't mean I should be able to run *any* PHP code on a server. 
However, if the application limits what can be added to a file, 
non-issue.



More information about the VIM mailing list