[VIM] CVE dispute - phpMyConferences RFI

Steven M. Christey coley at mitre.org
Thu Nov 2 20:58:20 EST 2006


Researcher: mfp.c

Issue: phpMyConferences <= 8.0.2 Remote File Inclusion
      http://www.securityfocus.com/archive/1/archive/1/450140/100/0/threaded

The referenced code:

  # if (!$gloaded_modules[$image_name])
  # {
  # include($lvc_modules_dir.'/'.$module_name.'.module.php');
  # $gloaded_modules[$module_name] = true;
  # }

is missing some context,  i.e.:

function insert_cached_module($module_desc)
{
    ...
    global $lvc_modules_dir;
    ...
    if (!$gloaded_modules[$module_name])
        {
            include($lvc_modules_dir.'/'.$module_name.'.module.php');



Since this include is within a function definition, the claimed
exploit (direct request to library.inc.php) should not work.

I'm unclear on whether a global declaration for a variable within a
function definition is sufficient to override initialization from
things like GET requests, but at best, the direct request to
library.inc.php appears erroneous.

- Steve


More information about the VIM mailing list