[VIM] [false but true] "Allfaclassfieds" RFI no; PHP Classifieds yes

Steven M. Christey coley at mitre.org
Wed Apr 25 16:13:44 UTC 2007

Researcher: Dr.RoVeR
Ref: Allfaclassfieds (level2.php dir) remote file inclusion

With a name like "allfaclassfieds" that smelled like a typo, I
investigated a little bit more.  The referenced download URL creates a
directory "phpclassifides".  No mention of "allfa" is anywhere
according to grep.

Further grep finds this to be PHP Classifieds.

The presence of a "upgr_603_to_604.php" file, and most files dating
back to 2001, along with UPGRADE.txt, suggests an old version of 6.04;
latest version, released on April 14, is 7.2b.

The relevant RFI code does not appear in level2.php in the newer

But, admin/setup/level2.php in 6.04, we have:


as the first executable PHP code.

The installation appears to move from level1.php through level5.php;
the latter deletes the install file.  However, there's not any
evidence that the level*.php files are ever cleaned up, leaving them
open for later access.

- Steve

More information about the VIM mailing list