| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Aug 2004 18:38:11 +0200 From: Cedric Blancher <blancher@...tel-securite.fr> To: bugtraq@...urityfocus.com Subject: Re: SQL Injection in CACTI Le mar 17/08/2004 à 10:53, Thomas Chiverton a écrit : > > php_flag magic_quotes_gpc Off > Cacti 0.8.5a does not ship with this set Off*, so this must be a Debian > packaging error. Cacti does not ship PHP. This option is related to PHP configuration, not to Cacti, that should not rely on any PHP specific option unless clearly mentionned (e.g. "Cacti must have magic_quotes_gpc set to On"), would it be default or not. I just checked available PHP distros, i.e. 4.3.8 and 5.0.1. They are shipped with two php.ini files, php.ini-distand php.ini-recommanded. The first one has magic_quotes_gpc set to On, but it is set to Off in the second one... > The install instructions at > http://www.raxnet.net/products/cacti/documentation.php?action=view&id=6 > make no mention off having to disable the magic quote feature. True. And it is not mentionned to have it On either. > I am running this version of Cacti with magic quotes On fine, this is the PHP > default, afaik. Cacti should not rely on specific PHP configuration to escape characters using magic quotes in order to prevent command/code/SQL/whatever injection, or any security stuff, but its own code to validate user input. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
Powered by blists - more mailing lists