[VIM] CVE dispute for Bloo RFI
Steven M. Christey
coley at mitre.org
Tue Nov 21 17:31:53 EST 2006
Researcher: the_Edit0r
Ref: BUGTRAQ:20061116 Bloo => 1.00 Remote File Include Vulnerability
http://www.securityfocus.com/archive/1/archive/1/451818/100/0/threaded
># CodE :
>include( $descriptorFileList );
In a diff of phoo.base.php (as of 20061110 back to March 2006):
http://bloo.cvs.sourceforge.net/bloo/bloo/phoo.base.php?r1=1.1&r2=1.30.2.6
we see that there's no "include( $descriptorFileList );" but, in fact:
@include( $descriptorFileList[ 0 ] );
include( $descriptorFileList[ 0 ] );
and similar statements.
So, first of all, the claimed code doesn't appear to exist, at least
not in recent versions.
Second, phoo.base.php (as of 20061110) is laid out as:
class PhooSession extends PhooBase {
...
function loadThemes( $themeRoot, $virtualThemeLoadCommand = null ) {
...
/* read the theme descriptor */
include( $descriptorFileList[ 0 ] );
So, we have a variable use within a function definition.
For the version dating back to March 2006, we have:
function verifyTheme( $themeRoot, $theme ) {
...
@include( $descriptorFileList[ 0 ] );
and
function loadTheme( $themeRoot, $theme ) {
...
@include( $descriptorFileList[ 0 ] );
So, at best, the original report is incorrect for recent versions of
Bloo.
- Steve
More information about the VIM
mailing list