On Fri, Nov 19, 2010 at 4:17 PM, Daniel Convissor < dani...@analysisandsolutions.com> wrote:
> Hi Johannes: > > On Thu, Nov 18, 2010 at 05:25:49PM +0100, Johannes Schlter wrote: > > > > > 2) Error out if using CGI or web SAPI and one of the following is true: > > > a) php.ini does not contain "magic_quotes_gpc = Off" > > > b) php.ini contains "magic_quotes_runtime = On" > > > c) php.ini contains "magic_quotes_sybase = On" > > > d) php.ini does not exist > > > > d) is no option. > > Yeah, I hear you and figured there would be objection. > > At the same time, for server administrators, isn't knowingly creating one > file with "magic_quotes_gpc = Off" in it a very low hurdle compared to > unknowingly getting pwn3d and then having to clean up that mess later? > > If this isn't acceptable, let's come up with some other fail-safe options. > > you can get pwn3d with magic_quotes_gpc = On also (through insecure usage of register globals, or remote code inclusion/execution, xss/reflection and sql injection also possible with enabled magic_quotes_gpc). for example: http://www.exploit-db.com/papers/15446/ Tyrael
