[VIM] smells false: VirtuaNews.Pro RFI

Steven M. Christey coley at mitre.org
Tue May 1 01:47:13 UTC 2007


Researcher: s433d_only_linux
Ref: BUGTRAQ VirtuaNews.Pro.v1.0.3.Retail.+All.Plugins  Remote file Include
     http://marc.info/?l=bugtraq&m=117754415631909&w=2


Extracted source code says:

  include($admindirectory."/".$key.".php");

but exploit uses the "include" parameter, not $admindirectory.

I don't have time at the moment to investigate further.

- Steve


More information about the VIM mailing list