[VIM] true: firefly RFI, both doc_root and DOCUMENT_ROOT

Steven M. Christey coley at linus.mitre.org
Wed May 2 19:13:04 UTC 2007

On Wed, 2 May 2007, str0ke wrote:

> Doesn't $DOCUMENT_ROOT default to $_SERVER[DOCUMENT_ROOT]; when
> register globals = on?  Atleast it does on my php4 / php5 test boxes.

More stuff I didn't really know... thanks!

Works on my PHP 4.4.4...

I think FrSIRT sometimes monitors this list.  Maybe they can clarify?

NOW... maybe $doc_root on config.php is wrong, too.

modules/admin/include/config.php has:

  include $DOCUMENT_ROOT."/config.php";
  include $doc_root."/modules/admin/include/applid.php";

So - if $DOCUMENT_ROOT is properly defined - it looks like this might
include the config.php in firefly's root directory, which has:


BUT... as discussed in previous VIM posts... if the include with the
$DOCUMENT_ROOT fails, then the program continues anyway, and the $doc_root
isn't defined.  So we definitely care about whether $DOCUMENT_ROOT can be
controlled or not.

localize.php is definitely still bad.  The code I quoted is the default
for a top-level switch call without any preceding code.

- Steve

More information about the VIM mailing list