[VIM] phpList "LFI" (OSVDB 50747 / Nessus 35259 / BID 32841)
Steven M. Christey
coley at linus.mitre.org
Tue Dec 23 20:06:45 UTC 2008
On Tue, 23 Dec 2008, security curmudgeon wrote:
> Below is confirmation that the recently reported "local file inclusion" is
> actually vulnerable to a remote file inclusion. This was discovered by
> Tenable during a quick examination of the 2.10.8 code base.
Speaking of LFI/RFI and PHP 5, does anybody have a cheat sheet of which
types of attacks work against which PHP settings and versions, especially
the remote ones? For example, I think some version of "allow_url_fopen"
will still accept ftp:// URLs even when disabled.
We run into this question every once in a while but are relatively
inconsistent in CVE with how we interpret such reports.
More information about the VIM