[VIM] bogus - HitWeb v3.0 - Remote File Include Vulnerabilities

Steven M. Christey coley at linus.mitre.org
Tue Sep 19 15:54:03 EDT 2006

Doubly confirmed on my end, just in case.  Source code is unchanged since
September 2001.

By the way - it's likely that hitweb.conf is returned unprocessed by the
web server and thus leaks database credentials:

  // Variables pour la base de donn?es
  $DBNAME = 'hitweb';
  $DBUSER = 'root';
  $DBPASS = '';
  $DBHOST = '';
  $BASE = 'mysql';

FYI, I'm still working on the wild goose chase theory that some of these
bad reports are due to some weird, obscure PHP bug (as opposed to bad
research methods being shared within a small group of people).

One researcher seemed to understand why his report was out-of-the-norm and
continued to say that the reports worked regardless.  He has since
provided me with some phpinfo() output from vulnerable sites that I still
need to pore through (don't-ask-don't-tell seems to be a good policy right
now).  Nothing substantive yet though.

- Steve

More information about the VIM mailing list