Bugtraq mailing list archives

Re: # MHG Security Team --- MyBloggie 2.1.1 version Remote File Include Vulnerabilit

From: "Steven M. Christey" <coley () mitre org>
Date: Mon, 5 Jun 2006 21:52:21 -0400 (EDT)


nukedx said:

This is not vulnerable,PHP-Nuke having a special in their files and
when includes mainfile.php it overwrites the global variables and it
caused to make an arbitrary file inclusion.

But in MyBloggie there is no common vulnerability like it.


In the source code for 2.1.1, many files have code like this:

  $mybloggie_root_path = './';

  include_once($mybloggie_root_path.'config.php');
  ...

so at least there isn't any obvious evidence of this issue, based on a
casual inspection.

Also - "scode.php" as mentioned by MHG does not exist in MyBloggie at
all, so maybe the site has been modified.

- Steve

Current thread:

# MHG Security Team --- MyBloggie 2.1.1 version Remote File Include Vulnerabilit erne ayaz (Jun 02)
- <Possible follow-ups>
- Re: # MHG Security Team --- MyBloggie 2.1.1 version Remote File Include Vulnerabilit nukedx (Jun 04)
- Re: # MHG Security Team --- MyBloggie 2.1.1 version Remote File Include Vulnerabilit Steven M. Christey (Jun 06)