is completely correct as i understand php to work.
-Original Message-
From: Chris [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 6:28 PM
To: [EMAIL PROTECTED]
Cc: 'PHP'
Subject: Re: [PHP] Highjack?
bruce wrote:
rory..
thanks.. i had meant to say assuming globals is off
bruce wrote:
hi chris...
for the initial post, it does/did matter for register_globals to be on/off.
in your reply, you use a $_GET[..] for the $path var. in the initial post
that i saw, (which i replied to), the $path var was simply used, without the
$_GET[..]. it's my understanding
At 12:38 PM -0500 11/13/06, Eric Butera wrote:
Tedd,
I've seen this happen before when someone was able to do a remote code
execution exploit on an old version of a very popular open source
shopping cart project. I'd say the first thing would be to try and
find any include/require statements
I usualy use an array with site configuration which I define at top
included file so you cannot overwrite the configuration paths from
outside the scripts.
?
$APP_CFG = array();
$APP_CFG[my_path] = /somewhere/on/server/;
?
From TFM:
If URL fopen wrappers are enabled in PHP
On 11/13/06, tedd [EMAIL PROTECTED] wrote:
Hi gang:
While this is not an obvious php question, it does deal with security
which is a concern.
Just this morning had a couple of my sites highjacked. What I found
was someone had replaced my root level index.php with their own
index.php. You can
be static, and
couldn't be munged...
thoughts/explanations...
thanks
-Original Message-
From: Eric Butera [mailto:[EMAIL PROTECTED]
Sent: Monday, November 13, 2006 9:39 AM
To: tedd
Cc: PHP General List
Subject: Re: [PHP] Highjack?
On 11/13/06, tedd [EMAIL PROTECTED] wrote:
Hi gang
Message
From: bruce [EMAIL PROTECTED]
To: Eric Butera [EMAIL PROTECTED]; tedd [EMAIL PROTECTED]
Cc: PHP General List php-general@lists.php.net
Sent: Monday, November 13, 2006 11:55:13 AM
Subject: RE: [PHP] Highjack?
eric...
you say how embarrasing regaring the $path.'foo' i'm curious, why
: Nov 13, 2006 7:12 PM
Subject: Re: [PHP] Highjack?
To: [EMAIL PROTECTED]
On 11/13/06, bruce [EMAIL PROTECTED] wrote:
eric...
you say how embarrasing regaring the $path.'foo' i'm curious, why/how
is
this simple piece of code exploitable. assuming $path is not something
that
comes via
8 matches
Mail list logo