> This is a serious issue... I have a php script wich lets me navigate the > entire hard disk in a cobalt raq3. I have sent it to cobalt security > people... but they just didn�t say a word about it
That's correct. In the release notes for 4.1, I got the strong impression that they hope to migrate to a more secure default config. But because many (most) developers are used to the previous, relaxed configuration, they are going to do it over a couple of versions. They say that 4.2 will by default come with many of the security features enabled. If you read through the documentation on the PHP site, you will see that since php4 was released, the emphasis on security has greatly increased with each new version. There is a lot of documentation there on how to tighten up the basic install. I strongly recommend reading it. www.php.net P.S. I believe that this is a common problem, even among cgi scripts. You can use the CGI vesion of PHP and benefit from cgi-wrap which is installed on the server. However, I don't write CGI and therefore only know that cgi-wrap supposedly increases security of CGI scripts. I don't know if this problem is fixed there or not. Matt Nuzum _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
