[VIM] false: PhotoStand (plugins.php) Remote File Include Vuln.
str0ke
str0ke at milw0rm.com
Wed Feb 7 13:28:35 EST 2007
$open_plugins = opendir($plugins_path . "plugins/");
// Read plugins directory
while ($plugin = readdir($open_plugins)){
###########################
the while loop would end if plugins_path isn't a directory. Which it
seems is the only variable that you can play with :(
/str0ke
On 2/7/07, Steven M. Christey <coley at linus.mitre.org> wrote:
>
> On Wed, 7 Feb 2007, str0ke wrote:
>
> > line: 18 if(is_file($plugins_path . "plugins/" . $plugin ."/plugin.php")
> >
> > line: 20 include($plugins_path . "plugins/" . $plugin ."/plugin.php");
> >
> > Not vulnerable.
>
> If $plugins_path or $plugin are attacker-controlled, then are they subject
> to ".." or "/abs/path" traversal attacks?
>
> - Steve
>
More information about the VIM
mailing list