Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Re: PHPList <= 2.10.2 remote commands execution
From: rg.viza () gmail com
Date: 11 Apr 2006 16:45:56 -0000
Isn't this old news?

Your app is a sieve if you run with register globals on (or have developed your own code to do the same thing and 
replace it). It's a disaster waiting to happen.

In the PHP manual, the developers of PHP have posted a big fat warning about this. It's easier to secure your code than 
it is to secure register globals. It's possible to eventually finish securing your code with regard to this.

Though it takes some extra work, it's worth it because it takes less work to get it done than it does to continually 
fix the ever growing flow of vulnerabilities related to this configuration setting being on. They will never stop 
coming. 

People were trying to fix register_globals 5 years ago and they still are battling this. It took me a month to turn 
this off, and secure my code on all 4 apps that I am responsible for. What does that tell you?

Sorry for the lecture, but I've seen way to many vulnerabilities here related to this. PHP developers everywhere should 
know better by now.

-Viz

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]