Hi!

> I have to at least php:// 
> php://input or php://stdin 
> allows attacker script execution via POST if it's allowed
> by allow_url_include=On.

allow_url_include=On means it's allowed. That's what "on" setting is
for. Production setting should always be "off".
-- 
Stas Malyshev
smalys...@gmail.com

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to