[VIM] Maybe SpC-X was right after all...
George A. Theall
theall at tenablesecurity.com
Mon Jun 26 22:28:08 EDT 2006
Steven M. Christey wrote:
> I've been on what felt like a wild goose chase for a couple months, with
> all these disclosures that seem to handle include statements with values
> with static values.
>
> Turns out that at least some of it could be dynamic variable evaluation,
> which can overwrite the initial static value if it's called after the
> fact.
>
> Now we need to look more closely at SpC-X and other issues...
Agreed, although SpC-X has certainly been responsible for claiming
things such as this:
$phphg_real_path = "./";
include($phphg_real_path . 'common.php');
are exploitable when in fact they're not, regardless of any of PHP's
settings.
Btw, anyone else notice that SpC-X's web site at
http://www.root-security.org/ is giving 404's for everything now?
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list