[VIM] dispute: older CyBoards common.php RFI (CVE-2006-2871)
Steven M. Christey
coley at mitre.org
Thu Apr 12 00:09:36 UTC 2007
Ref: CyBoards PHP Lite v1.25 (common.PHP) Remote File Inclusion
Using the 1.25 code referenced in the previous post, we have:
... and later uses.
Inspections suggests that a failed inclusion would cause lots of
problems, so the pathname would need to be changed during
installation; this is also documented in readme.txt.
config.php itself has:
$script_path = "/home/www/forums"; // Unix path to the forum directory. Do not include a trailing slash
config.php doesn't have any nested includes, requires, dynamic
evaluation, or extract.
$script_path is used in other include's in common.php but have the
same negative results.
More information about the VIM