[VIM] dispute: older CyBoards common.php RFI (CVE-2006-2871)

Steven M. Christey coley at mitre.org
Thu Apr 12 00:09:36 UTC 2007

Researcher: SpC-x
Ref: CyBoards PHP Lite v1.25 (common.PHP) Remote File Inclusion

Using the 1.25 code referenced in the previous post, we have:


  ... and later uses.

Inspections suggests that a failed inclusion would cause lots of
problems, so the pathname would need to be changed during
installation; this is also documented in readme.txt.

config.php itself has:

  $script_path = "/home/www/forums";                 // Unix path to the forum directory. Do not include a trailing slash

config.php doesn't have any nested includes, requires, dynamic
evaluation, or extract.

$script_path is used in other include's in common.php but have the
same negative results.

- Steve

More information about the VIM mailing list