| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Jun 2006 16:32:02 -0400 (EDT) From: "Steven M. Christey" <coley@...re.org> To: bugtraq@...urityfocus.com Subject: Re: Squirrelmail local file inclusion Paul Schmehl said: >This is the second "bug" I've seen in the past week that requires >register_globals to be on. Yet register_globals has been off by >default for the past four years. But after a disclosure of a PHP issue with a functioning exploit, many sites are regularly hacked soon afterward. It might be off by default, but it is clearly on (or required) in many operational environments. Some products specifically recommend or require register_globals, so they will have these issues. >Squirrelmail even warns specifically against using register_globals = >on and checks for it when installing. > >... > >Yet know we're getting "security advisories" warning, hey, if you >change the defaults and ignore all the warnings, you too can write >insecure code! In this sense, I agree. Default configuration is one thing, but active negligence is another. That said, Squirrelmail apparently thinks this issue is important enough to release an advisory: http://www.squirrelmail.org/security/issue/2006-06-01 So maybe they know more about the implications on their consumers than we do. - Steve
Powered by blists - more mailing lists