Recent Topics

1 Aug 29, 2006 21:35    

http://www.securityfocus.com/archive/1/444646/30/0/threaded

Author claims it's remotely exploitable. Has anyone at b2evo had a chance to look at this, and produce a fix? Author does not specify whether he did responsible disclosure or not, nor whether a fix is available. Thanks.

3 Aug 30, 2006 02:30

This is ridiculous (= "no problem").

$inc_path gets set by b2evolution itself and would therefor get overwritten from this kind of "global injection" (which would additionally require register_globals in PHP to be "on").

4 Aug 30, 2006 03:07

Things *like* these used to work back in 1999.

In this specific case, it would not even have worked back then because of the explicit global setting of $inc_path as stated by bluyed.

This is not even remotely a threat.


Form is loading...