[VIM] source verify of foing remote file inclusion
Steven M. Christey
coley at mitre.org
Thu Jun 15 23:34:11 EDT 2006
Ref: Foing (manage_songs.php) Remote File Inclusion[phpBB]
Product is intended for use with phpBB.
Vendor has abandoned the project; http://foing.sourceforge.net/ says
"I'm sorry to say that Foing is dead, and has been so for quite some
time. Version 0.7.0 will most likely be the very last". 0.7.0 was
released in 2003.
anyway, in manage_songs.php, at the very top we have:
$page_title = 'manage songs';
include($foing_root_path . 'includes/common.php');
so the remote inclusion is feasible using direct request.
It's not immediately clear where this script is used in the product,
but it's there.
More information about the VIM