[VIM] PBLang 4.60 <= (index.php) Remote File Include Vulnerability
George A. Theall
theall at tenablesecurity.com
Fri Feb 16 12:37:02 EST 2007
This concerns the remote file include reported in PBLang here:
http://www.securityfocus.com/archive/1/460315/30/0/threaded
The code in index.php starts with:
require ('header.php');
include("global.php");
include($dbpath."/settings.php");
header.php just sets some http headers, starts a session, and other
sorts of housekeeping; it doesn't reference $dbpath or include other files.
global.php doesn't exist out of the box but gets created as part of the
install to initialize constants, including $dbpath. At least as created,
it does not give a remote user any way to overwrite the setting for
$dbpath or use it, even indirectly. So this report looks bogus to me.
Btw, the download link in the advisory leads to version 4.65 as part the
enclosed docs/PBLang-update.txt (look at the bottom), not 4.60 as
claimed in the posting.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list