[VIM] Missed PHP file include in recent Calendarix

security curmudgeon jericho at attrition.org
Wed Jun 8 03:18:38 EDT 2005

:   BUGTRAQ:20050531 multiple vulnerability Calendarix Advanced
:   URL:http://archives.neohapsis.com/archives/bugtraq/2005-05/0356.html
: Multiple VDBs seem to have missed the following portion of the post:
:         Include
:         line 16
:         admin/cal_admintop.php:include_once($calpath."cal_utils.php");

I didn't create an entry for this because it wasn't clear what 'include' 
entailed. Looking back, I probably should have created an unspecified type 
entry until more details were discovered. Given that some vulns are file 
inclusion, others are HTML inclusion, one I created today was for 
arbitrary image inclusion..  just seeing "include" was not crystal clear. 
My first take was this was relevant code to the other vulnerabilities.

: Thus it appears to be a typical file include issue where an include file 
: depends on variables defined by previously included files, but is 
: directly callable assuming the relevant PHP configuration etc. etc. etc.


More information about the VIM mailing list