[VIM] CVE Dispute - PHPIrc_bot PHP file inclusion
Heinbockel, Bill
heinbockel at mitre.org
Thu Jan 4 11:25:29 EST 2007
researcher: ZooZ
BUGTRAQ:20061231 PHPIrc_bot <= Remote File Include
http://www.securityfocus.com/archive/1/archive/1/455613/100/0/threaded
researcher-claimed vulnerable code (sic):
> ;(include_once ($dir . $file
relevant code from php4you.php (lines 47-57):
> $dir = "bot_functions/";
> $dirh = opendir($dir);
> while ($file = readdir($dirh)) {
> if (substr($file, -4) == ".php") {
> include_once($dir . $file);
> }
> }
> closedir($dirh);
obviously both $file and $dir are defined before use...
William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615
More information about the VIM
mailing list