[VIM] Contenido RFI - CVE dispute

Steven M. Christey coley at mitre.org
Tue Oct 17 17:58:45 EDT 2006

Researcher: CvIr.System


  BUGTRAQ:20061013 CMS contenido Remote File Inclusion

I was investigating whether this was a rediscovery of CVE-2005-4132,
but CVE-2005-4132 comes from a vague vendor disclosure that doesn't
have any vector information.  So after a couple minutes'
investigation, I wasn't sure if this was really new or not.

Downloading the code from:


I got Stable Version 4.6.15.

It looks like config.php sets $contenido_path to a static value:

  $contenido_path = "../contenido/";

and config.php is included before the claimed-vulnerable code:

from cms/dbfs.php:

  include_once ("config.php");
  include_once ($contenido_path . "includes/startup.php");

from cms/front_content.php:

  include_once ("config.php"); 
  # Contenido startup process
  include_once ($contenido_path."includes/startup.php");

No other code in the cms/ directory has an include that uses

So, this looks like an incorrect report.

- Steve

More information about the VIM mailing list