|
Bugtraq
mailing list archives
Re: Squirrelmail local file inclusion
From: "Steven M. Christey" <coley () mitre org>
Date: Tue, 6 Jun 2006 16:32:02 -0400 (EDT)
Paul Schmehl said:
This is the second "bug" I've seen in the past week that requires
register_globals to be on. Yet register_globals has been off by
default for the past four years.
But after a disclosure of a PHP issue with a functioning exploit, many
sites are regularly hacked soon afterward. It might be off by
default, but it is clearly on (or required) in many operational
environments. Some products specifically recommend or require
register_globals, so they will have these issues.
Squirrelmail even warns specifically against using register_globals =
on and checks for it when installing.
...
Yet know we're getting "security advisories" warning, hey, if you
change the defaults and ignore all the warnings, you too can write
insecure code!
In this sense, I agree. Default configuration is one thing, but
active negligence is another.
That said, Squirrelmail apparently thinks this issue is important
enough to release an advisory:
http://www.squirrelmail.org/security/issue/2006-06-01
So maybe they know more about the implications on their consumers than
we do.
- Steve
 By Date 
By Thread
Current thread:
| 
Intro
