Topic awaiting preservation: Santy. (Page 1 of 1) |
|
---|---|
Bipolar (III) Inmate From: Phoenix |
posted 12-28-2004 15:29
Just jumped over to the assylum to make sure it was still up! |
Maniac (V) Inmate From: under the bed |
posted 12-28-2004 15:36 |
Paranoid (IV) Mad Scientist with Finglongers From: Germany |
posted 12-28-2004 16:11
yeah. So far no automated spam, and certainly no global virus attack. |
Maniac (V) Inmate From: Cell 53, East Wing |
posted 12-28-2004 20:47
It gets worse: quote:
|
Maniac (V) Inmate From: Den Haag: The Royal Residence |
posted 12-29-2004 11:21
GN is up and running at the moment...just checked |
Maniac (V) Mad Librarian From: Seoul, Korea |
posted 12-29-2004 12:55
I really wish people would write in English. Could someone explain to me what this means: "has the potential to exploit any site that's left allowed arbitrary file inclusion into PHP scripts." |
Paranoid (IV) Mad Scientist with Finglongers From: Germany |
posted 12-29-2004 13:48
basically anything that does a variant of include ($someVar), where $someVar could be coming from 'outside'. Bonus points if you have the url-to-file-wrapper on and the attacker can include code coming from his own server. |
Maniac (V) Inmate From: under the bed |
posted 12-29-2004 15:34
So just to make sure I'm understanding - simply using include() or require() isn't the problem, but specifying something other than a hard-coded path as the include might be? |
Paranoid (IV) Mad Scientist with Finglongers From: Germany |
posted 12-29-2004 16:05
indeed. Specifing anything that can be overwritten from the outside in an php->include or a php->require (or their _once equivalents) is a security risk. |
Maniac (V) Mad Scientist From: 100101010011 <-- right about here |
posted 12-29-2004 17:29
The path doesn't necessarily have to be hard coded. But it needs to be validated before used. For example you don't want a page called like this: |
Maniac (V) Inmate From: under the bed |
posted 12-29-2004 17:56 |
Maniac (V) Mad Librarian From: Seoul, Korea |
posted 12-30-2004 05:41
Yes, thank you. That's what I was thinking as well, but the article Emps linked to above was painfully obtuse on the point. |