lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 11 Apr 2006 16:45:56 -0000
From: rg.viza@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: PHPList <= 2.10.2 remote commands execution


Isn't this old news?

Your app is a sieve if you run with register globals on (or have developed your own code to do the same thing and replace it). It's a disaster waiting to happen.

In the PHP manual, the developers of PHP have posted a big fat warning about this. It's easier to secure your code than it is to secure register globals. It's possible to eventually finish securing your code with regard to this.

Though it takes some extra work, it's worth it because it takes less work to get it done than it does to continually fix the ever growing flow of vulnerabilities related to this configuration setting being on. They will never stop coming. 

People were trying to fix register_globals 5 years ago and they still are battling this. It took me a month to turn this off, and secure my code on all 4 apps that I am responsible for. What does that tell you?

Sorry for the lecture, but I've seen way to many vulnerabilities here related to this. PHP developers everywhere should know better by now.

-Viz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ