[VIM] smells false: phpFreeLog RFI
Steven M. Christey
coley at mitre.org
Sat Oct 6 16:35:47 UTC 2007
Researcher: KUZ3Y (labeled as "Vendor")
http://www.secumania.org/exploits/web-applications/phpfreelog-alpha-v0_2_0--%3C%3D--remote-file-inclusion-vulnerability-2007092832175/
This line is quoted:
include_once $this->var_dir.$var.'.php';
with this exploit:
/patch/log.php?var=http://localhost/shell.txt?
First of all, $var_dir is defined to a constant path, so RFI doesn't
look possible.
Secondly, the include_once call is in a class definition, wrapped
within a foreach:
foreach ($var_types as $var) {
which would overwrite $var.
And, this is within a read_mod() method that appears to be called with
uncontrollable data, but I'm not 100% clear on that.
- Steve
More information about the VIM
mailing list