[VIM] snif RFI curiosity
str0ke at milw0rm.com
Mon Dec 4 09:21:09 EST 2006
Confirmed fake. Removing it now.
On 12/4/06, George A. Theall <theall at tenablesecurity.com> wrote:
> Steven M. Christey wrote:
> > Ref: http://www.milw0rm.com/exploits/2868
> > While $_GET is cleansed in a way that feels funny on line 1215, there
> > is no apparent dynamic variable evaluation, include/require, or eval
> > in between the two lines.
> I don't think it's valid. The code you refer to only cleans the $_GET
> array and $externalConfig is never set other than in the one spot where
> it's hardcoded to "" as you noted.
> theall at tenablesecurity.com
More information about the VIM