> Or turn off Register_global, and then MODULES_DIR would only exist in > $_GET. I chalk this one up to a bad PHP configuration: > > http://www.php.net/register_globals > > While it would not stop attacks that could cause you to include stuff > if other variables are not checked before blindly being used from the > $_POST and $_GET arrays, however the attack you just mentioned is > null and void. > > If you are running with register_globals on, you should seriously re- > consider. It will be deprecated, and I can't wait for it to finally > be gone, then script writers will have to learn how to use the > array's that were meant for that sort of data. > > Bert JW Regeer
Yes, register_globals was turned on and consiquently turned off, but thats no excuse for not protecting the vars.