> Or turn off Register_global, and then MODULES_DIR would only exist in  
> $_GET[]. I chalk this one up to a bad PHP configuration:
> http://www.php.net/register_globals
> While it would not stop attacks that could cause you to include stuff  
> if other variables are not checked before blindly being used from the  
> $_POST and $_GET arrays, however the attack you just mentioned is  
> null and void.
> If you are running with register_globals on, you should seriously re- 
> consider. It will be deprecated, and I can't wait for it to finally  
> be gone, then script writers will have to learn how to use the  
> array's that were meant for that sort of data.
> Bert JW Regeer

Yes, register_globals was turned on and consiquently turned off, but
thats no excuse for not protecting the vars.

Reply via email to