[VIM] some discrepancies: Linker IMG <=1.0 RFI

Steven M. Christey coley at linus.mitre.org
Fri Jun 25 15:17:51 CDT 2010

Researcher: Sn!pEr.S!Te Hacker

This is claimed to be RFI, but source inspection suggests that it is at 
best LFI.

   include ("./function/base_info.php");
   include ("./function/main_func.php");
   include ("./function/$Sdb_type.php");
   if ($lan_dir && file_exists("./$lan_dir/u_common.php"))
     include ("./$lan_dir/u_common.php");
   else include ("./$Slang/u_common.php");

First of all, the demo URL says "$lan_dir=[RFI]" but clearly $lan_dir is 
processed by the cook_lan cookie (VUPEN already noticed this, which 
prompted my investigation).

The include() is clearly only susceptible to LFI.

The "./function/$Sdb_type.php" include statement is presumably the source 
of the "Sdb_type=[RFI]" vector claimed by the researcher, but my casual 
source inspection suggests that $Sdb_type is probably set in an executable 
config file that is generated on installation.

By the way, the $Slang vector above also seems to be a hard-coded config 

- Steve

More information about the VIM mailing list