[VIM] PBLang 4.60 <= (index.php) Remote File Include Vulnerability

George A. Theall theall at tenablesecurity.com
Fri Feb 16 12:37:02 EST 2007

This concerns the remote file include reported in PBLang here:


The code in index.php starts with:

   require ('header.php');

header.php just sets some http headers, starts a session, and other 
sorts of housekeeping; it doesn't reference $dbpath or include other files.

global.php doesn't exist out of the box but gets created as part of the 
install to initialize constants, including $dbpath. At least as created, 
it does not give a remote user any way to overwrite the setting for 
$dbpath or use it, even indirectly. So this report looks bogus to me.

Btw, the download link in the advisory leads to version 4.65 as part the 
enclosed docs/PBLang-update.txt (look at the bottom), not 4.60 as 
claimed in the posting.

theall at tenablesecurity.com

More information about the VIM mailing list