[VIM] phpList "LFI" (OSVDB 50747 / Nessus 35259 / BID 32841)

Steven M. Christey coley at linus.mitre.org
Tue Dec 23 20:06:45 UTC 2008

On Tue, 23 Dec 2008, security curmudgeon wrote:

> Below is confirmation that the recently reported "local file inclusion" is
> actually vulnerable to a remote file inclusion. This was discovered by
> Tenable during a quick examination of the 2.10.8 code base.

Speaking of LFI/RFI and PHP 5, does anybody have a cheat sheet of which
types of attacks work against which PHP settings and versions, especially
the remote ones?  For example, I think some version of "allow_url_fopen"
will still accept ftp:// URLs even when disabled.

We run into this question every once in a while but are relatively
inconsistent in CVE with how we interpret such reports.

- Steve

More information about the VIM mailing list