[VIM] phpProfiles vendor ack

security curmudgeon jericho at attrition.org
Thu Mar 1 23:39:12 EST 2007


Posted: Fri Dec 22, 2006 2:11 pm    Post subject: Security Alert

Hackers have found a way to exploit the script the way it is written. We use 
variables that are defined in config.php for some of the include paths. Since 
the script is open source, a hacker is able to download the script and learn 
the names given to these variables (i.e. $incpath, $usrinc, etc.).

The hacker then uses the variables to call code from their server. The solution 
will be to change all of the include variables to absolute paths:



include("include/body.inc.php"); etc ...

The fix will involve some time to complete. Until then, while we took down the 
demo we did leave the downlaod up in case someone wants to use the script & 
make the modifications themselves. More about the issue is available at:


More information about the VIM mailing list