Guys,
Please read the advisory. You simply can't say that register_globals=off
wouldn't have resulted in more secure apps, because there are *3* examples
(or more, I don't remember) there of applications that would have not been
exploitable had register_globals=on was in effect!
Unless we make the very unlikely assumption that these are the only apps
that were vulnerable (and from what I understand in the advisory, pretty
much any app they checked was vulnerable at one point or another), saying
that setting register_globals to off is going to improve security is pretty
much a fact, and not an opinion.
Zeev
At 03:15 27/07/2001, Björn Schotte wrote:
>* Rasmus Lerdorf wrote:
> > significantly more secure PHP scripts out there. It will simply cause
> > scripts to break in non-obvious ways and the knee-jerk fix will be to
> > swear at those annoying PHP folks and then turn register_globals on, or
> > they will do something like:
> >
> > foreach($HTTP_POST_VARS as $key=>$val) $$key = $val;
> > foreach($HTTP_GET_VARS as $key=>$val) $$key = $val;
> > foreach($HTTP_COOKIE_VARS as $key=>$val) $$key = $val;
>
>I fully agree here with Rasmus and I also think this will
>be the workaround for most people -- if one _does_ care
>about security, he even knows what and how to do nowadays.
>I don't think turning register_globals to off will evangelize
>people to develop more secure scripts/applications.
>
>--
>PHP Schulungen und | International PHP Conference
>Schulungsmaterial: | 05. - 07.11.2001
>http://thinkphp.de/ | Astron Hotel, Frankfurt
>http://rent-a-phpwizard.de/schulungen.php | http://www.php-kongress.de/
--
Zeev Suraski <[EMAIL PROTECTED]>
CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]