[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071220202539.5626.qmail@securityfocus.com>
Date: 20 Dec 2007 20:25:39 -0000
From: antonio@...oniocortes.com
To: bugtraq@...urityfocus.com
Subject: Re: Morcego CMS <= 0.9.6 Remote File Inclue Vulnerability
The second Vulnerability, is also false:
includes/morcegoCMS/adodb/adodb.inc.php
Line: 3.245: include_once($path);
Context:
function &NewDataDictionary(&$conn)
{
$provider = $conn->dataProvider;
$drivername = $conn->databaseType;
if ($provider !== 'native' && $provider != 'odbc' && $provider != 'ado')
$drivername = $conn->dataProvider;
else {
if (substr($drivername,0,5) == 'odbc_') $drivername = substr($drivername,5);
else if (substr($drivername,0,4) == 'ado_') $drivername = substr($drivername,4);
else
switch($drivername) {
case 'oracle': $drivername = 'oci8';break;
case 'sybase': $drivername = 'mssql';break;
case 'access':
case 'db2':
break;
default:
$drivername = 'generic';
break;
}
}
include_once(ADODB_DIR.'/adodb-lib.inc.php');
include_once(ADODB_DIR.'/adodb-datadict.inc.php');
$path = ADODB_DIR."/datadict/datadict-$drivername.inc.php";
if (!file_exists($path)) {
ADOConnection::outp("Database driver '$path' not available");
return false;
}
include_once($path);
Powered by blists - more mailing lists