[VIM] OSVDB 33460 / CVE-2007-0190 - edit-x

security curmudgeon jericho at attrition.org
Tue Sep 11 07:15:57 UTC 2007


The original VIM post said this was false, but apparently only works when 
allow_url_fopen is enabled.

---------- Forwarded message ----------
From:  < @edit-x.com>
To: 'security curmudgeon' <jericho at attrition.org>
Date: Tue, 11 Sep 2007 01:51:07 -0400
Subject: RE: [OSVDB Mods] [WEB PAGE] - Removal

You would have to have allow_url_fopen enabled in order for that
vulnerability to exist which is disabled by default.

http://www.webmasterworld.com/php/3181065.htm

http://www.claroline.net/wiki/index.php/Security

It just isn't completely accurate that it is a vulnerability considering 
it depends on how you configure your server. At anyrate those variables 
have been removed and those files do not look that way any longer so the 
page is complately inaccurate.

R. Stacy Cook
Edit-X :: Control Your Content
www.edit-x.com



-----Original Message-----
From: security curmudgeon [mailto:jericho at attrition.org]
Sent: Tuesday, September 11, 2007 1:41 AM
To: R. Stacy Cook @ Edit-X
Cc: OSVDB Mods
Subject: RE: [OSVDB Mods] [WEB PAGE] - Removal


: I would like it removed because this is no longer accurate. It would
: also lead someone to believe it exists when a certain server
: configuration would have to be set in order for this to work. I am
: asking all sources to remove it.

What server configuration would make it vulnerable exactly?
register_globals or another PHP option?

Brian
OSVDB.org


More information about the VIM mailing list