I'm think I'm going to start forwarding all the bugtraq
alerts for PHP scripts to this list. Any objections?
Yes, if the author of the script isn't on the list it's useless
unless someone wants to patch their script themselves. And if
they're the kind of person who's inclined to do that,
I agree, but it may be usefull to tell those newbies that when you
execute a command from PHP that will get some parameters from an external
source (like a form or a get variable) ALWAYS use the
escapeshellcmd()
function to prevent users from executing arbitrary commands.
bvr.
There's such a
Good point, but I actually reccomend newbies subscribe to bugtraq. It really
opened my eyes to the world of cross-site scripting. Now I not only know how,
but do, write secure code.
If I saw a warning about a script either here or on bugtraq, I would
immediatly patch it- or at least shut down
3 matches
Mail list logo
