i just read an article in 2600 yesterday about supposed
PHP/CGI vulnerabilities.  anyone else catch it?

personally, when i read the article, i started chuckling,
becuase the supposed "vulnerability" is not with PHP or
any particular language, but with shoddy "secure" 
programming practises (which are a problem with any
language), so i was a little let down that i wasn't
going to get some info on actual "PHP vulnerabilities".

the authour described the supposedly common practise of
passing around a plaintext variable denoting whether or
not the page was supposed to authorize a user or not:

the article went on to explain how incredibly easy it 
is to exploit this type of website by simply changing
"mode=secure" to "mode=insecure" and effectively skipping
the need to authenticate yourself.  the article also
urged all readers to develop more secure PHP code and
avoid the practise of being lazy about authentication.

(if you dont bother to write good security code, it's
usually worse than having no security at all, becuase
having bad security will prompt people to break it
just to prove that it's worthless)

just figured i'd paraphrase the article and suggest that
you all pick up an issue 2600 - it's a great read... and
in the most recent issue, there's an article about PHP/perl
based mailing lists and ways that they can be exploited
to mail-bomb people.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to