And I forgot: also set in php.ini
allow_url_include = Off armin On Jan 9, 2008 3:26 PM, Armin Burger <[EMAIL PROTECTED]> wrote: > Michael > > thanks for the hint. > > First thing I find a bit weird is that somebody files a security > problem on a public site (secwatch.org) without notifying the software > developer (i.e. me). > > Second, the obvious suggestion for avoiding this security leak is to > disable typical security holes of PHP in general: In my understanding > this exploit can just work if in php.ini there is the setting > register_globals = On > > and additionally > > allow_url_fopen = On > > Both settings are known since eternities as a high risk for code > insertion. I cannot imagine that the exploit could work if one of > these settings is disabled (set to 'Off'). Normally one should disable > both. > > So the obvious suggestion is to disable both in your php.ini. Software > should be programmed that it does not need neither of these settings > set to 'On', at least not register_globals. > > This security hole is existing in practically all .phtml files since > they use variables for inclusion paths. > I can add checks to see if the variable has been tried to point to a > URL, but I would strongly encourage everybody to deactivate both > settings anyway. > > Armin > > > On Jan 9, 2008 9:45 AM, Pfeiffer Michael <[EMAIL PROTECTED]> wrote: > > Hi everybody, > > > > there seems to be a security gap in pmapper. For further information > > read this please: http://secwatch.org/advisories/1019622/ > > Has anybody of you heard about this problem or maybe had this problem > > himself? > > Our server was corrupted by the IRC-Bot to sent Pishing-Mails on this > > way. > > > > Are there any suggestions how to close this security gap and to avoid > > the resulting problems? > > > > Thanks in advance > > > > Freundliche Grüsse > > > > Michael Pfeiffer > > > > Kanton Solothurn > > Bau- und Justizdepartement > > Amt für Geoinformation > > Rötistrasse 4 > > 4501 Solothurn > > T: ++41 (0)32 627 6087 > > Fax: ++41 (0)32 627 2214 > > mailto:[EMAIL PROTECTED] > > http://www.agi.so.ch > > > > > > > > ------------------------------------------------------------------------- > > Check out the new SourceForge.net Marketplace. > > It's the best place to buy or sell services for > > just about anything Open Source. > > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > > _______________________________________________ > > pmapper-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/pmapper-users > > > ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ pmapper-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/pmapper-users
