Hi! > It's a design vulnerability. It is not has to be attack-able security hole > without broken code. There are many security issues and countermeasure > like this. e.g. register globals in PHP, stack smashing attack in C, etc.
It's not stack smashing. It's like saying because you can call external code from C it's a C vulnerability. It's not - if you make your program to execute external code, it will. > Some people are trying to introduce TAG less execution. Wise choice for > TAG less execution would be removing famous LFI vulnerability from PHP. It's not a vulnerability in PHP. It's a vulnerability in your code. And I don't see how anything changes with whatever "tagless execution" is - if you allow foreign code to be executed within context of your application, it can do anything your code does. So unless you ban include completely, it will be able to do includes. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php