[VIM] Maybe SpC-X was right after all...

George A. Theall theall at tenablesecurity.com
Mon Jun 26 22:28:08 EDT 2006


Steven M. Christey wrote:
> I've been on what felt like a wild goose chase for a couple months, with
> all these disclosures that seem to handle include statements with values
> with static values.
> 
> Turns out that at least some of it could be dynamic variable evaluation,
> which can overwrite the initial static value if it's called after the
> fact.
> 
> Now we need to look more closely at SpC-X and other issues...

Agreed, although SpC-X has certainly been responsible for claiming
things such as this:

  $phphg_real_path = "./";
  include($phphg_real_path . 'common.php');

are exploitable when in fact they're not, regardless of any of PHP's
settings.

Btw, anyone else notice that SpC-X's web site at
http://www.root-security.org/ is giving 404's for everything now?

George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list