Bugtraq mailing list archives

Re: Phpjobscheduler 3.0 - Multiple Remote File Include

From: str0ke <str0ke () milw0rm com>
Date: Sat, 18 Nov 2006 15:48:12 -0600

On 11/18/06, Stefano Zanero <s.zanero () securenetwork it> wrote:

Firewall1954 () hotmail com wrote:

> # Phpjobscheduler 3.0  - Multiple Remote File Include by Firewall

Bogus

> # Code:
>                    include_once($installed_config_file)

include_once("functions.php"); some lines above includes a file which
statically sets that variable, so

> # ExPloit :

None of these work.

Please stop reporting bogus vulnerabilities ! Thanks !

Stefano


$installed_config_file = "config.inc.php";
if ($_REQUEST) foreach ($_REQUEST AS $key => $value) $$key = $value;

The line below the variable being defined is what makes this vulnerable.

Be safe,
/str0ke

Current thread:

Phpjobscheduler 3.0 - Multiple Remote File Include Firewall1954 (Nov 13)
- Re: Phpjobscheduler 3.0 - Multiple Remote File Include Stefano Zanero (Nov 18)
  - Re: Phpjobscheduler 3.0 - Multiple Remote File Include str0ke (Nov 18)