[VIM] OSVDB 33460 / CVE-2007-0190 - edit-x
security curmudgeon
jericho at attrition.org
Tue Sep 11 07:15:57 UTC 2007
The original VIM post said this was false, but apparently only works when
allow_url_fopen is enabled.
---------- Forwarded message ----------
From: < @edit-x.com>
To: 'security curmudgeon' <jericho at attrition.org>
Date: Tue, 11 Sep 2007 01:51:07 -0400
Subject: RE: [OSVDB Mods] [WEB PAGE] - Removal
You would have to have allow_url_fopen enabled in order for that
vulnerability to exist which is disabled by default.
http://www.webmasterworld.com/php/3181065.htm
http://www.claroline.net/wiki/index.php/Security
It just isn't completely accurate that it is a vulnerability considering
it depends on how you configure your server. At anyrate those variables
have been removed and those files do not look that way any longer so the
page is complately inaccurate.
R. Stacy Cook
Edit-X :: Control Your Content
www.edit-x.com
-----Original Message-----
From: security curmudgeon [mailto:jericho at attrition.org]
Sent: Tuesday, September 11, 2007 1:41 AM
To: R. Stacy Cook @ Edit-X
Cc: OSVDB Mods
Subject: RE: [OSVDB Mods] [WEB PAGE] - Removal
: I would like it removed because this is no longer accurate. It would
: also lead someone to believe it exists when a certain server
: configuration would have to be set in order for this to work. I am
: asking all sources to remove it.
What server configuration would make it vulnerable exactly?
register_globals or another PHP option?
Brian
OSVDB.org
More information about the VIM
mailing list