[VIM] Pluck 4.6.2 (langpref) Local File Inclusion Vulnerabilities
str0ke
str0ke at milw0rm.com
Mon May 18 19:37:37 UTC 2009
There isn't a data directory in the same folder as the vulnerable
scripts. So it will error in inclusion on most of the lines except the
3rd one if register globals = on.
George A. Theall wrote:
> The issues in milw0rm 8715 / BID 35007 don't look valid to me. The
> code in the three files in 4.6.2 looks like:
>
> include ("data/settings/langpref.php");
> include ("data/inc/lang/en.php");
> include ("data/inc/lang/$langpref");
>
> The first of these consists entirely of:
>
> <?php $langpref = "en.php"; ?>
>
> and the second hardcodes variables named '$lang' and '$lang_' but
> doesn't reference any request data. Has anybody else looked into them?
>
>
> George
More information about the VIM
mailing list