[VIM] probably false: pfa RFI

Steven M. Christey coley at mitre.org
Wed May 9 16:55:01 UTC 2007

Researcher: iLker Kandemir
Ref: BUGTRAQ pfa CMS v6.0 (index.php repinc) Remote File Include Vulnerability

index.php starts with:

  session_start();									//démarrage de la session
  require('config.inc.php');							//on inclu le fichier de configuration
  require($repinc.'functions.inc.php');				//on inclu les fonctions

All together now!  config.inc.php contains:

  $repinc = 'include/';

I say "probably" because there are lots of other includes.  However,
this is the only place where $repinc is set, and grep doesn't show any
evidence of dynamic variable evaluation or extract calls.

- Steve

More information about the VIM mailing list