Hi Muthu, Yes, I saw that as well. Either in adodb there are such variables as well in some other files what I let out for the moment. But for the check if the file is called direct (that would represent an intrusion) it should be corrected. I know that the $_SERVER['SCRIPT_NAME'] will not make purist happy, because the use of $_SERVER arrays should be handled with care - so not perfect for paranoid configuration. But I tried here to find a way between paranoid and careless settings.
For the other sections where it is been used we have to rethink if we could find an alternative. Adodb seems to like the $phpsself varaible use... however ... and I think for the current step it would be ok to let it as it is. Each challange has its own time. ;-) Robert Am Donnerstag, den 16.09.2010, 21:12 +0530 schrieb Ap.Muthu: > Hi Robert, > > Please check the need to replace $PHP_SELF and revert it if needed. > The said variable is a clean value of $_SERVER['PHP_SELF'] and in some > instances made as $thisfle. > It is globally declared in AdoDB: > classes/adodb/adodb-pager.inc.php (lines 60/63) > classes/adodb/adodb-perf.inc.php (line 919) > and in > classes/calendar_jl/class.calendar.php (line 62) > > There were a total of 44 files referring to $PHP_SELF prior to your updates. > > Regards, > Ap.Muthu > apmu...@usa.net > > > > Hi, > > > > Belongs on committed revisions 6704, 6705 and 6706: > > > > Just checked some debug information and found that: > > > > /*------begin------ This protection code was suggested by Luki R. > > l...@karet.org ---- */ > > if (stristr('inc_date_format_functions.php',$PHP_SELF)) > > die('<meta http-equiv="refresh" content="0; url=../">'); > > /*------end------*/ > > > > Why do I think it is so evil? Well, first I got here an warning: > > Notice: Undefined variable: PHP_SELF [...] > > > > Beside of the syntax error used here, $_SERVER['PHP_SELF'] is not that > > better. $PHP_SELF seems to me like an strange mix up, not sure. Maybe > > there was a reason for it, but I do not see it. I am not that perfect, > > maybe someone more smarter than me can explain it to me ;-) > > > > But then I tested around and it is ..interesting: > > > > file: test.php > > contains: > > <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method ="post"> > > > > Now.. what do you think will happen when I call that script with: > > http://localhost/test.php/"></form>itchy script: > > <script>alert('gotcha');</script><form action="./test.php > > > > Huhhh... not good. So I made a workaround with > > $_SERVER['SCRIPT_NAME'] > > > > Robert > > > > p.s. who is Luki R. l...@karet.org ?? > > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ > Care2002-developers mailing list > Care2002-developers@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/care2002-developers -- -- -------------------------------------------- CARE2X - free Integ Hospital Info System https://sourceforge.net/projects/care2002/ http://www.care2x.org ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Care2002-developers mailing list Care2002-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/care2002-developers