On Sat, Nov 15, 2003 at 10:43:14PM -0500, Alex J. Avriette wrote:
> On Sat, Nov 15, 2003 at 08:11:34PM -0600, Tom Goulet (UID0) wrote:
>
> > If you have register globals off *or* safe mode on, this particular
> > exploit is useless.
>
> > If you had register globals on and safe mode off then he could run
> > arbitrary programs as your Apache user. It's possible he could run a
> > local root exploiting program, but that's not as likely.
>
> It really irritates me that people continue to use this when the
> php.ini file repeatedly warns (no, begs) you not to.
FWIW, having register globals off sometimes gives a false sense
of security. Recently, I've discovered that PHP-Nuke just seems
to work well with this setting, because it circumventes it by
calling import_request_variables('GPC'). I'm less than happy
about PHP.
bit,
adam
--
1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989
finger://[EMAIL PROTECTED] | Some days, my soul's confined
http://www.keyserver.net | And out of mind
Sleep forever
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
