[VIM] Pluck 4.6.2 (langpref) Local File Inclusion Vulnerabilities

George A. Theall theall at tenablesecurity.com
Mon May 18 18:44:52 UTC 2009


The issues in milw0rm 8715 / BID 35007 don't look valid to me. The  
code in the three files in 4.6.2 looks like:

   include ("data/settings/langpref.php");
   include ("data/inc/lang/en.php");
   include ("data/inc/lang/$langpref");

The first of these consists entirely of:

   <?php $langpref = "en.php"; ?>

and the second hardcodes variables named '$lang' and '$lang_' but  
doesn't reference any request data. Has anybody else looked into them?


George
-- 
theall at tenablesecurity.com





More information about the VIM mailing list