Re: Morcego CMS <= 0.9.6 Remote File Inclue Vulnerability
The second Vulnerability, is also false:
includes/morcegoCMS/adodb/adodb.inc.php
Line: 3.245: include_once($path);
Context:
function &NewDataDictionary(&$conn)
{
$provider = $conn->dataProvider;
$drivername = $conn->databaseType;
if ($provider !== 'native' && $provider != 'odbc' && $provider
!= 'ado')
$drivername = $conn->dataProvider;
else {
if (substr($drivername,0,5) == 'odbc_') $drivername =
substr($drivername,5);
else if (substr($drivername,0,4) == 'ado_') $drivername
= substr($drivername,4);
else
switch($drivername) {
case 'oracle': $drivername = 'oci8';break;
case 'sybase': $drivername = 'mssql';break;
case 'access':
case 'db2':
break;
default:
$drivername = 'generic';
break;
}
}
include_once(ADODB_DIR.'/adodb-lib.inc.php');
include_once(ADODB_DIR.'/adodb-datadict.inc.php');
$path = ADODB_DIR."/datadict/datadict-$drivername.inc.php";
if (!file_exists($path)) {
ADOConnection::outp("Database driver '$path' not
available");
return false;
}
include_once($path);