Re: Startpage <= 1.0 (cfgLanguage) Remote File Inclusion Vulnerability

["Carsten Eilers" <ceilers-lists@xxxxxx>]

sh3ll@xxxxxxxx schrieb am Thu, 10 Aug 2006 20:53:46 +0000:

>Sanitize Variabel $cfgLanguage in edit.php , functions.php , new.php ,
>PageBottom.php 
>
>& PageTop.php

Take a look at config.php:

$cfgLanguage    = 'uk';                                         // Which 
language do you prefer :
                                                                //      uk = 
English
                                                                //      nl = 
Dutch
                                                                //      de = 
German


config.php is included in edit.php, new.php, PageBottom.php 
and PageTop.php at the top of the file, in functions.php at
the top of relevant functions.

No way to include something with cfgLanguage.

Regards
 Carste

-- 
Dipl.-Inform. Carsten Eilers
IT-Sicherheit und Datenschutz

<http://www.ceilers-it.de>