[VIM] Remote File Include In ClipShare.v1.5.3
str0ke
str0ke at milw0rm.com
Mon Mar 12 21:49:49 UTC 2007
haha, I have stopped checking his work do to the amount of false positives.
/str0ke
On 3/12/07, George A. Theall <theall at tenablesecurity.com> wrote:
> Has anyone been able to verify this
> (http://archives.neohapsis.com/archives/bugtraq/2007-03/0118.html)? The
> source for this app isn't publically available, but I've looked at
> copies of adodb-connection.inc.php included in other apps and all are
> implemented as a PHP class, with no ability to call it directly and get
> anything like a remote file include.
>
> In addition, while the code does use '$cmd', it's in a call to exec()
> rather than include(), and its value does not seem at first blush to be
> under an attacker's control.
>
> Methinks deaR aydasaH has things a bit backwards.
>
> George
> --
> theall at tenablesecurity.com
>
More information about the VIM
mailing list