Hi Muthu,
Yes, I saw that as well. Either in adodb there are such variables as
well in some other files what I let out for the moment.
But for the check if the file is called direct (that would represent an
intrusion) it should be corrected. I know that the
$_SERVER['SCRIPT_NAME'] will not make purist happy, because the use of
$_SERVER arrays should be handled with care - so not perfect for
paranoid configuration. But I tried here to find a way between paranoid
and careless settings.
For the other sections where it is been used we have to rethink if we
could find an alternative.
Adodb seems to like the $phpsself varaible use... however ... and I
think for the current step it would be ok to let it as it is.
Each challange has its own time. ;-)
Robert
Am Donnerstag, den 16.09.2010, 21:12 +0530 schrieb Ap.Muthu:
> Hi Robert,
>
> Please check the need to replace $PHP_SELF and revert it if needed.
> The said variable is a clean value of $_SERVER['PHP_SELF'] and in some
> instances made as $thisfle.
> It is globally declared in AdoDB:
> classes/adodb/adodb-pager.inc.php (lines 60/63)
> classes/adodb/adodb-perf.inc.php (line 919)
> and in
> classes/calendar_jl/class.calendar.php (line 62)
>
> There were a total of 44 files referring to $PHP_SELF prior to your updates.
>
> Regards,
> Ap.Muthu
> apmu...@usa.net
>
>
> > Hi,
> >
> > Belongs on committed revisions 6704, 6705 and 6706:
> >
> > Just checked some debug information and found that:
> >
> > /*------begin------ This protection code was suggested by Luki R.
> > l...@karet.org ---- */
> > if (stristr('inc_date_format_functions.php',$PHP_SELF))
> > die('<meta http-equiv="refresh" content="0; url=../">');
> > /*------end------*/
> >
> > Why do I think it is so evil? Well, first I got here an warning:
> > Notice: Undefined variable: PHP_SELF [...]
> >
> > Beside of the syntax error used here, $_SERVER['PHP_SELF'] is not that
> > better. $PHP_SELF seems to me like an strange mix up, not sure. Maybe
> > there was a reason for it, but I do not see it. I am not that perfect,
> > maybe someone more smarter than me can explain it to me ;-)
> >
> > But then I tested around and it is ..interesting:
> >
> > file: test.php
> > contains:
> > <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method ="post">
> >
> > Now.. what do you think will happen when I call that script with:
> > http://localhost/test.php/";></form>itchy script:
> > <script>alert('gotcha');</script><form action="./test.php
> >
> > Huhhh... not good. So I made a workaround with
> > $_SERVER['SCRIPT_NAME']
> >
> > Robert
> >
> > p.s. who is Luki R. l...@karet.org ??
>
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Care2002-developers mailing list
> Care2002-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/care2002-developers
--
--
--------------------------------------------
CARE2X - free Integ Hospital Info System
https://sourceforge.net/projects/care2002/
http://www.care2x.org
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Care2002-developers mailing list
Care2002-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/care2002-developers
