[VIM] Source VERIFY: nsGalPHP RFI

Steven M. Christey coley at mitre.org
Tue Jan 30 10:53:31 EST 2007


Researcher: S.W.A.T.
Ref: http://milw0rm.com/exploits/3205


The code extract is as appears.  includes/config.inc.php has:

  include_once($racineTBS.'includes/tbs_class.php');

with no prior includes or definitions of $racineTBS.

Of note is that the researcher was not fooled by the main files, such
as connexion.php and index.php, which have:

  $racineTBS = '';
  require_once($racineTBS.'includes/config.inc.php');

and thus don't have RFI.

This is a good demonstration of a realization that I recently had -
PHP application developers don't expect that their library files will
be directly called, and this is probably the main source of RFI's.

- Steve


More information about the VIM mailing list