[VIM] false: old Develooping Flash Chat RFI
Steven M. Christey
coley at mitre.org
Wed Feb 14 02:32:22 EST 2007
Researcher: SpC-x
Ref: Develooping Flash Chat (banned_file) Remote File Inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0317.html
Claimed exploit:
http://www.target.com/path/chat/adminips.php?banned_file=CmdShell
Source inspection of versions 1.2, 1.5, and 1.6.5, as downloaded from
www.vclcomponents.com, showed the following code:
require ('required/config.php');
$banned_file = "required/banned_ip.txt";
if (($name==$admin_name) and ($password==$admin_password)){
$lines = file($banned_file);
config.php had nothing but variable declarations.
- Steve
More information about the VIM
mailing list