[VIM] FALSE -> DynamicPAD HomeDir RFI

Heinbockel, Bill heinbockel at mitre.org
Tue May 8 11:16:57 UTC 2007


MILW0RM:3868
SECUNIA:25176
FRSIRT:ADV-2007-1681
BID:23861

The second line (before any use of $HomeDir) in index.php and
dp_logs.php:
>  require_once( "dp_conf.php" );


The first lines in dp_conf.php read:
>  Error_Reporting(0);
>
>  if ( file_exists( "dp_conf.php.inc" ) ) {
>    include( "dp_conf.php.inc" );
>  } else die( '<center>Unable to find dp_conf.php.inc</center>' );


And, the third instruction in INSTALL.txt reads:
> Rename "dp_conf.php.inc.default" into "dp_conf.php.inc" and
> "dp_conf.dat.default" into "dp_conf.dat".

Finally, of course, in the packaged dp_conf.php.inc.default file (line
12):
>  $HomeDir           = "";


So, if the user follows the installation instructions, there is no RFI.
If the user forgets the "install", the software dies. No vulnerability.


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615


More information about the VIM mailing list