[VIM] FALSE -> DynamicPAD HomeDir RFI

str0ke str0ke at milw0rm.com
Tue May 8 19:05:16 UTC 2007

I'm lost on both of your emails!

On 5/8/07, Steven M. Christey <coley at linus.mitre.org> wrote:
> On Tue, 8 May 2007, str0ke wrote:
> > I don't have the source code to go back over 1.02 but it did seem
> > vulnerable before.

The source code can be accessed at


The files are marked as 2006 just as the release.  I tested by
downloading the source from the url and by clicking on the download
from the page which matched up.

28 Apr 2006.  Version 1.02 released. From now on DynamicPAD should
install and work smoothly on Windows+IIS servers. Also several
bugfixes has been made.

And the vulnerability report from the author of the product.

8 May 2007.  A dangerous vulnerability has been detected in DynamicPAD
1.02. We strongly suggest that you  upgrade to the latest version as
soon as possible!

head index.php
  $AfterLogin = "index.php";

  require_once( $HomeDir."dp_conf.php" );

head dp_logs.php
  $AfterLogin = "dp_logs.php";

  require_once( $HomeDir."dp_conf.php" );
  require_once( $HomeDir."phemplate.class.php" );
  require_once( $HomeDir."pager.php" );



More information about the VIM mailing list