Re: [PHP] a recent 2600 article about PHP/CGI vulnerabilities

Mon, 09 Jul 2001 08:28:06 -0700 

/me unsubscribes : )
----- Original Message ----- 
From: "scott [gts]" <[EMAIL PROTECTED]>
To: "php" <[EMAIL PROTECTED]>
Sent: Monday, July 09, 2001 11:40 AM
Subject: [PHP] a recent 2600 article about PHP/CGI vulnerabilities


> i just read an article in 2600 yesterday about supposed
> PHP/CGI vulnerabilities.  anyone else catch it?
> 
> personally, when i read the article, i started chuckling,
> becuase the supposed "vulnerability" is not with PHP or
> any particular language, but with shoddy "secure" 
> programming practises (which are a problem with any
> language), so i was a little let down that i wasn't
> going to get some info on actual "PHP vulnerabilities".
> 
> the authour described the supposedly common practise of
> passing around a plaintext variable denoting whether or
> not the page was supposed to authorize a user or not:
>   http://server.com/this.php?mode=insecure
>   http://server.com/this.php?mode=secure
> 
> the article went on to explain how incredibly easy it 
> is to exploit this type of website by simply changing
> "mode=secure" to "mode=insecure" and effectively skipping
> the need to authenticate yourself.  the article also
> urged all readers to develop more secure PHP code and
> avoid the practise of being lazy about authentication.
> 
> (if you dont bother to write good security code, it's
> usually worse than having no security at all, becuase
> having bad security will prompt people to break it
> just to prove that it's worthless)
> 
> just figured i'd paraphrase the article and suggest that
> you all pick up an issue 2600 - it's a great read... and
> in the most recent issue, there's an article about PHP/perl
> based mailing lists and ways that they can be exploited
> to mail-bomb people.
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to