[VIM] Vanilla CMS

Steven M. Christey coley at linus.mitre.org
Tue Jul 25 17:13:37 EDT 2006

On Mon, 24 Jul 2006, George A. Theall wrote:

> It appears to be version 1.0, and the code quoted in the advisory does
> appear in setup/upgrader.php (nb: there is no 'steup/'), which is dated
> June 24, 2006. At least in the version I was able to retrieve, I find
> immediately before that this snippet:
>                                 ---- snip, snip, snip ----
> $RootDirectory = str_replace('setup/', '', $WorkingDirectory);

> So, does the remote include issue exist in a different version or did
> MFox just not look at this carefully?

That's the question, but looking at the source code you mentioned, it
doesn't appear in version 1.0.

It does seem to be a pretty popular product, so maybe older versions are

However, a source listing of appears to be here:


but "upgrade.php" is not in a setup directory, and it doesn't have the
code you mention.

You mentioned the type in the advisory, but the vendor URL was also wrong,
and the demonstration URL started with "Http".  So there was a lot of
manual typing going on.

Even if it's real, a lot of "researchers" must be doing something like

  egrep '(require|include).*\$' *.php | post-to-bugtraq.pl

- Steve

More information about the VIM mailing list