[VIM] Source VERIFY and patch for gepi RFI

Steven M. Christey coley at mitre.org
Thu Nov 2 19:07:56 EST 2006

Reference: http://www.milw0rm.com/exploits/2692
Researcher: $um$id

Version 1.4.0 has this in gestion/savebackup.php:


with no cleansing of $_GET beforehand, so that's a pretty clear issue.

Looking at version 1.4.4, a diff shows a lot of changes being made to
savebackup.php, including session checking (not shown below) and
whitelisting of possibly valid filenames (!!!!):

  $dirname = getSettingValue("backup_directory");


  $handle=opendir('../backup/' . $dirname);
  $tab_file = array();
  [populate $tab_file with files in the directory]

  $m = 0;
  foreach($tab_file as $value) {
  		if ($m == $_GET['fileid']) {
  			$filepath = "../backup/".$dirname."/".$value;
  			$filename = $value;



For those who keep track, gepi-1.4.4 was created Oct 16, but the
vulnerability disclosure was apparently Oct 31.

I didn't look at versions between 1.4.0 and 1.4.4.

- Steve

More information about the VIM mailing list