An interesting idea and script!
Remote file inclusion requires that the variable is placed at the start of the include() or require() parameter.
This is potentially vulnerable:
include($file);
As well as this:
require ( "$file/test.php" );
But not this:
include("templatedir/$file");
I suppose one could change the script to only print parameters that match ^\s*"?\$ or something similar.
// Ulf Härnhammar (1 DSA coming up..)
Received on Sun Mar 20 2005 - 00:47:35 GMT