Re: Re: PHPList <= 2.10.2 remote commands execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Re: PHPList <= 2.10.2 remote commands execution
From: rg.viza@xxxxxxxxx
Date: 11 Apr 2006 16:45:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Isn't this old news?

Your app is a sieve if you run with register globals on (or have developed your 
own code to do the same thing and replace it). It's a disaster waiting to 
happen.

In the PHP manual, the developers of PHP have posted a big fat warning about 
this. It's easier to secure your code than it is to secure register globals. 
It's possible to eventually finish securing your code with regard to this.

Though it takes some extra work, it's worth it because it takes less work to 
get it done than it does to continually fix the ever growing flow of 
vulnerabilities related to this configuration setting being on. They will never 
stop coming. 

People were trying to fix register_globals 5 years ago and they still are 
battling this. It took me a month to turn this off, and secure my code on all 4 
apps that I am responsible for. What does that tell you?

Sorry for the lecture, but I've seen way to many vulnerabilities here related 
to this. PHP developers everywhere should know better by now.

-Viz

Prev by Date: Re: google xss
Next by Date: [SRC-Telindus advisory] - HP System Management Homepage Remote Unauthorized Access
Previous by thread: Re: PHPList <= 2.10.2 remote commands execution
Next by thread: Jbook Cross Site Scripting
Index(es):
- Date
- Thread