[VIM] Igloo DoublSpeak vuln
sullo at cirt.net
Sun Jul 23 11:31:05 EDT 2006
Since this guy posted
checked out the source and confirmed he's right. The "advisory" author
didn't bother to read more source or, I bet, even try it...
Looks vuln, maybe? Except in the config.inc it says:
'private' => '/www/mrpenguin.org/devel/private',
So... I don't see a path for exploit.
Now, if config.inc is in your web root... that's a different problem as
it has your mysql db connection info it. Also, I think the scripts
relies on register globals as I see a lot of values being used in SQL
that aren't defined and don't have any input validation on them... you
know what that means--but I don't have time right now to dig into this
http://www.cirt.net/ | http://www.osvdb.org/
More information about the VIM