lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040606062534.14334.qmail@www.securityfocus.com>
Date: 6 Jun 2004 06:25:34 -0000
From: Squid <squidsecurity@...hmail.com>
To: bugtraq@...urityfocus.com
Subject: Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke
    v7.3 and earlier


In-Reply-To: <20040605125033.11956.qmail@....securityfocus.com>

>
>Using eregi is NOT the problem. The problem is the usage of $_SERVER['PHP_SELF'] which can't handle URL requests which have a slash ('/') as their first character in the query_string and thinks this is part of it's path. Using SCRIPT_NAME is much safer...
>

I reported their use of eregi() WITH the NOT logical operator AGAINST $_SERVER['PHP_SELF'] is the problem not eregi() by itself  

I agree using $_SERVER['SCRIPT_NAME'] is one way to fix it IF this element is available on the server.  Since the manual says, "you may or may not find any of the following elements in $_SERVER," IMO it's safer to secure a file by checking whether a CONSTANT, which is defined in the calling script, exists in the called one.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ