>From Mark O'Sullivan, on http://lussumo.com/community/: "Here is the code in question: $WorkingDirectory = str_replace('\\', '/', getcwd()).'/'; $RootDirectory = str_replace('setup/', '', $WorkingDirectory); // ... // Include the old settings file if it is present (it just contains constants) if (file_exists($RootDirectory.'conf/old_settings.php')) { include($RootDirectory.'conf/old_settings.php'); As you can see, there is NO vulnerability. The variable used in the path is defined a few lines above the code from the original report, and is defined using PHP's getcwd(); function. There is absolutely NO user-input that could cause the vulnerability suggested, and the "proof of concept" provided cannot possibly work."
