[VIM] [false] Remote File Include In Script stat12

Steven M. Christey coley at linus.mitre.org
Wed Apr 11 23:03:15 UTC 2007


Agreed - I accidentally did a similar investigation because I forgot you
had posted this :)

I have no idea where the "stat12" came from since it's not part of the
live site that appears to have the unparsed i-Stats code.

If you change the "counter.php" on the live site to index.php, which was
the program in the original disclosure, you have:

  require_once(LANGPATH . $cfg['langFile']);

which obviously is not a "langpath" parameter.

Hey Gadi - RaeD seems to be one of the worst offenders right now and
identifies as Israeli.  Do you feel like using your subtle,
non-confrontational style to see if he can change his ways?  ;-)

- Steve

On Tue, 3 Apr 2007, GM darkfig wrote:

> Message: http://www.securityfocus.com/archive/1/464582/30/0/threaded
> Author: RaeD at BsdMail.Com
> When we search "Copyright (c) 2004 by Sam Tang" there is only one
> result (1) and on the server, the php is not interpreted ... we can
> read the source code. The title of the script is not "stat12" but "PHP
> i-Stats". The website (2) of the author is down. The file inclusion
> will not work : require_once('global.php');...define('LANGPATH',
> 'lang/');
> [1] - http://www.tiger.edu.pl/
> [2] - http://www.samphp.com

More information about the VIM mailing list