[VIM] Contenido RFI - CVE dispute
Steven M. Christey
coley at mitre.org
Tue Oct 17 17:58:45 EDT 2006
BUGTRAQ:20061013 CMS contenido Remote File Inclusion
I was investigating whether this was a rediscovery of CVE-2005-4132,
but CVE-2005-4132 comes from a vague vendor disclosure that doesn't
have any vector information. So after a couple minutes'
investigation, I wasn't sure if this was really new or not.
Downloading the code from:
I got Stable Version 4.6.15.
It looks like config.php sets $contenido_path to a static value:
$contenido_path = "../contenido/";
and config.php is included before the claimed-vulnerable code:
include_once ($contenido_path . "includes/startup.php");
# Contenido startup process
No other code in the cms/ directory has an include that uses
So, this looks like an incorrect report.
More information about the VIM