mfp.c,
In 8.0.2, the surrounding code for this bug is:
function insert_cached_module($module_desc)
{
...
global $lvc_modules_dir;
...
if (!$gloaded_modules[$module_name])
{
include($lvc_modules_dir.'/'.$module_name.'.module.php');
Since this include is within a function definition, the claimed
exploit (direct request to library.inc.php) should not work.
I'm unclear on whether a global declaration for a variable within a
function definition is sufficient to override initialization from
things like GET requests, but at best, the direct request to
library.inc.php appears erroneous.
Were you able to get an exploit to work?
- Steve
