i just read an article in 2600 yesterday about supposed PHP/CGI vulnerabilities. anyone else catch it? personally, when i read the article, i started chuckling, becuase the supposed "vulnerability" is not with PHP or any particular language, but with shoddy "secure" programming practises (which are a problem with any language), so i was a little let down that i wasn't going to get some info on actual "PHP vulnerabilities". the authour described the supposedly common practise of passing around a plaintext variable denoting whether or not the page was supposed to authorize a user or not: http://server.com/this.php?mode=insecure http://server.com/this.php?mode=secure the article went on to explain how incredibly easy it is to exploit this type of website by simply changing "mode=secure" to "mode=insecure" and effectively skipping the need to authenticate yourself. the article also urged all readers to develop more secure PHP code and avoid the practise of being lazy about authentication. (if you dont bother to write good security code, it's usually worse than having no security at all, becuase having bad security will prompt people to break it just to prove that it's worthless) just figured i'd paraphrase the article and suggest that you all pick up an issue 2600 - it's a great read... and in the most recent issue, there's an article about PHP/perl based mailing lists and ways that they can be exploited to mail-bomb people. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
