[VIM] Ptag <= 4.0.0 Multiple RFI Exploit
George A. Theall
theall at tenablesecurity.com
Tue Dec 22 19:45:49 UTC 2009
Exploit-DB #10562 also looks bogus to me.
One of the PoCs is:
[Ptag_path]/lib/session.php?ptag_dir=[Shell]
cr4wl3r helpfully includes a snippet of the affected code:
<?php
//Plottable Tagboard Systems Version 4.0.0 - ROLAND
//Session handling File
require_once(ptag_dir."lib/php/crossSession.php");
Note that 'ptag_dir' isn't a variable in the PHP code, but a define so
it's not under a remote attacker's control.
I wondered if there was simply a typo in the advisory, but alas, no,
as you can see from:
http://ptag.svn.sourceforge.net/viewvc/ptag/trunk/ptag/lib/session.php?revision=69&view=markup
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list