[VIM] net2ftp: a web based FTP client :) <= Remote File Inclusion (fwd)

Steven M. Christey coley at linus.mitre.org
Mon Oct 9 15:53:34 EDT 2006

Just to make the plot thicker:


The vendor says "These reports are based on net2ftp versions 0.60 to 0.62,
which were released more than 3 years ago, in May-July 2003.
The newer versions of net2ftp are not vulnerable to a remote file

Then the code for admin/index.php (not the original index.php) is
apparently listed.

It's not clear whether the vendor is actually acknowledging the issue, or
just saying "the newer versions don't have it."

I sucked it up, registered, and posted the following inquiry:

  Hello, I am the lead for the CVE vulnerability project.  We assigned
  CVE-2006-5097 to this issue.

  Isn't $application_rootdir already defined in "settings.inc.php", which
  is included by index.php?  So how could an attacker actually modify
  $application_rootdir ?  It's not clear to me where the vulnerability is.

- Steve

More information about the VIM mailing list