<<< Date Index >>>     <<< Thread Index >>>

Re: Morcego CMS <= 0.9.6 Remote File Inclue Vulnerability



The second Vulnerability, is also false:

includes/morcegoCMS/adodb/adodb.inc.php
Line: 3.245: include_once($path);


Context:

        function &NewDataDictionary(&$conn)
        {
                $provider = $conn->dataProvider;
                $drivername = $conn->databaseType;
                if ($provider !== 'native' && $provider != 'odbc' && $provider 
!= 'ado') 
                        $drivername = $conn->dataProvider;
                else {
                        if (substr($drivername,0,5) == 'odbc_') $drivername = 
substr($drivername,5);
                        else if (substr($drivername,0,4) == 'ado_') $drivername 
= substr($drivername,4);
                        else 
                        switch($drivername) {
                        case 'oracle': $drivername = 'oci8';break;
                        case 'sybase': $drivername = 'mssql';break;
                        case 'access':
                        case 'db2':             
                                break;
                        default:
                                $drivername = 'generic';
                                break;
                        }
                }
                include_once(ADODB_DIR.'/adodb-lib.inc.php');
                include_once(ADODB_DIR.'/adodb-datadict.inc.php');
                $path = ADODB_DIR."/datadict/datadict-$drivername.inc.php";

                if (!file_exists($path)) {
                        ADOConnection::outp("Database driver '$path' not 
available");
                        return false;
                }
                include_once($path);