[VIM] Missed PHP file include in recent Calendarix
security curmudgeon
jericho at attrition.org
Wed Jun 8 03:18:38 EDT 2005
: BUGTRAQ:20050531 multiple vulnerability Calendarix Advanced
: URL:http://archives.neohapsis.com/archives/bugtraq/2005-05/0356.html
:
: Multiple VDBs seem to have missed the following portion of the post:
:
: Include
:
: line 16
: admin/cal_admintop.php:include_once($calpath."cal_utils.php");
I didn't create an entry for this because it wasn't clear what 'include'
entailed. Looking back, I probably should have created an unspecified type
entry until more details were discovered. Given that some vulns are file
inclusion, others are HTML inclusion, one I created today was for
arbitrary image inclusion.. just seeing "include" was not crystal clear.
My first take was this was relevant code to the other vulnerabilities.
: Thus it appears to be a typical file include issue where an include file
: depends on variables defined by previously included files, but is
: directly callable assuming the relevant PHP configuration etc. etc. etc.
Nice..
More information about the VIM
mailing list