Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
Bugtraq report of Vanilla 1.0.1 security vulnerability
Doesn't anyone here read Bugtraq? http://seclists.org/bugtraq/2006/Jul/0409.html Nobody responded to these accusations at all. I e-mailed SecurityFocus.com (they tend to be the most popular repository/database of security vulnerabilities) refuting the claims made by the person posting about the vulnerability. Now first off, there's no such thing as Vanilla 1.0.1. Were they looking at the Subversion repository checkout version? Second off, I looked at the code and the $RootDirectory variable is set just a few lines above in the Vanilla 1 source. It's set based on a getcwd() call, so there's no chance for user input. Someone would have to delete those two lines and then turn on register_globals for this to be a vulnerability. wtf?
This discussion has been closed.