http://sx02.coresec.de/advisories/153.txt

############
# GW Script 2.50
#
# Homepage: http://sentinel.rdw-allianz.de/downloads.php
# Affected Version: <= 2.1.4
# Patched Version: /
# Date: 23.09.2006
#
# Application Risk: High
#
# Vendor notified : 23.09.2006
#
#
# Vulnerable found : Sx02
# http://sx02.coresec.de
#
#
#############
#
#   Vulnerable code in fleet.php
#
#   <?php
#   require("fleet/config.php");
#   $PATH=$CONFIG['internal']['sqlconf'];
#   require("$PATH/config.php");
#   ...
#   ...
#
#   --------------------------------------------------------
#
#   $CONFIG['internal']['sqlconf'] is not declared before, so it is 
vulnerable to remote file
#   inclusion.
#
#   fleet.php?$CONFIG['internal']['sqlconf']=
#
#   Required : Register Global = on
#
#   --------------------------------------------------------
#
#   Solution :
#
#   declare variables before including them !
#
#   --------------------------------------------------------
#
#   "Everything should be made as simple as possible, but not simpler"
#   'Albert Einstein'
#
############