[VIM] Source VERIFY: nsGalPHP RFI
Steven M. Christey
coley at mitre.org
Tue Jan 30 10:53:31 EST 2007
The code extract is as appears. includes/config.inc.php has:
with no prior includes or definitions of $racineTBS.
Of note is that the researcher was not fooled by the main files, such
as connexion.php and index.php, which have:
$racineTBS = '';
and thus don't have RFI.
This is a good demonstration of a realization that I recently had -
PHP application developers don't expect that their library files will
be directly called, and this is probably the main source of RFI's.
More information about the VIM