Welcome, Guest! Log In | Create Account

Donate Share

WebCalendar

The forum address has changed, you have been automatically redirected. Please update any bookmarks to use the new URL.

Subscribe

include "includes/$user_inc";

Add A Reply
  1. nobody

    2003-07-15 20:49:58 UTC
    Is this line correct?

    From what I know of PHP a include line is used to include files that have functions that will be called by the current file.

    If that is the case, why is a variable being listed as a include?
  2. nobody

    2003-07-15 21:08:48 UTC
    I found at least part of it.

    It seems that WebCalendar makes strong use of Global variables. There are a number of nasty exploits out there for this.

    As a result almost everyone has quit using them.
    The way this came up is our security guy found that he could define $user_inc as anything he wanted to from the URL. As a result he could do nasty things like copy our username password file.

    Please tell me there is a easy fix. As it stands I am about to have to go back in and rewrite a ton of code so I can switch off global
  3. cknudsenProject AdminAccepting Donations

    2003-07-16 04:34:31 UTC
    I just posted a fix for the $user_inc vulnerability. (Actually, I'm surprised no one has pointed this one out before since it's such a huge security hole.)

    I'd certainly like to completely remove the global variables from all the code. No one has gotten around to doing this yet... Any volunteers?
  4. nobody

    2003-07-19 16:32:43 UTC
    I have found a few security problems with webcaladar. They may be all related to all the global variables but i don't know for sure. I would like to contact someone directly about these. Who should i contact ?

  5. nobody

    2003-07-19 17:00:43 UTC
    actually to add to my previous post, now that this is made public, your online demo is vulerable to this as well.
  6. nobody

    2003-07-19 17:03:13 UTC
    actually, now that this is public, THe online demo is vulnerable to this.
  7. nobody

    2003-07-19 17:08:19 UTC
    sorry for the double post :)
  8. nobody

    2003-07-21 10:45:41 UTC
    This has been posted to the Full Disclosure mailing list now so you should fix it asap :)
  9. cknudsenProject AdminAccepting Donations

    2003-07-21 13:42:40 UTC
    The demo has been updated with the latest CVS code to address this security issue.
  10. jhoov

    2003-07-21 17:50:22 UTC
    Maybe next time the author can be given adequate time to release a new version or patch before this is posted on bugtraq.

    -- Jeff
  11. jhoov

    2003-07-21 18:14:43 UTC
    This wasn't a problem before the register globals hack was put in (0.9.39). Why? config.php set $user_inc. It still does, however the register globals hack overwrites it.

    -- Jeff
  12. nobody

    2003-07-21 20:06:42 UTC
    Jeff,

    Correct me if i am wrong but,

    1: It looks like the problem was made "public" in this forum before the bugtraq/fd postings.

    2: Craig Knudsen says he had already posted a fix
    on 2003-07-15.

    Is this not the case ?
< Previous | 1 | Next >

Add a Reply

This forum does not allow anonymous participation.

Log in to add a reply. Not registered? Create an account to participate and receive email updates when replies are posted to this topic.

About SourceForge

Find Software

Develop Software

Community

Help

Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use