-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
while getting to know the PHP-Code better and better, I noticed that obviously
PHP runs with "register_globals = on" for Savane (and, no doubt, Savannah as
well).
This is a bad thing to do and should be avoided under all circumstances.
Moreover, there are some portions of the code where a malicious user can
easily inject SQL code to, say, view the contents of /etc/passwd.
Since this is a public mailing list, I won't disclose the information about
how to do it. I think it's much better to work out a solution, write the
code, and then update all servers.
I haven't looked into all files, but I can imagine that there are other
possibilities as well: Maybe deleting all data from tables, adding yourself
to a project you don't belong to, etc. The list is probably not complete.
How should we procede?
Cheers,
- --
Tobias
"We either learn from history or, uh, well, something bad will happen."
-- Bob Church
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAKRWzCqqEJ0Fs8twRAj6GAJ9DCaGvPaZ7XmvMSEu9mmpfwbFPGACcD4ut
BUI7t5r1ic7BrlXepLkqvkY=
=AzaR
-----END PGP SIGNATURE-----
