[VIM] [false] Remote File Include In Script stat12
Steven M. Christey
coley at linus.mitre.org
Wed Apr 11 23:03:15 UTC 2007
Darkfig,
Agreed - I accidentally did a similar investigation because I forgot you
had posted this :)
I have no idea where the "stat12" came from since it's not part of the
live site that appears to have the unparsed i-Stats code.
If you change the "counter.php" on the live site to index.php, which was
the program in the original disclosure, you have:
require_once(LANGPATH . $cfg['langFile']);
which obviously is not a "langpath" parameter.
Hey Gadi - RaeD seems to be one of the worst offenders right now and
identifies as Israeli. Do you feel like using your subtle,
non-confrontational style to see if he can change his ways? ;-)
- Steve
On Tue, 3 Apr 2007, GM darkfig wrote:
> Message: http://www.securityfocus.com/archive/1/464582/30/0/threaded
> Author: RaeD at BsdMail.Com
>
> When we search "Copyright (c) 2004 by Sam Tang" there is only one
> result (1) and on the server, the php is not interpreted ... we can
> read the source code. The title of the script is not "stat12" but "PHP
> i-Stats". The website (2) of the author is down. The file inclusion
> will not work : require_once('global.php');...define('LANGPATH',
> 'lang/');
>
> [1] - http://www.tiger.edu.pl/
> [2] - http://www.samphp.com
>
More information about the VIM
mailing list