I've just had my web site hacked by someone who used ./themes/test1.php to run arbitrary code on a remote server by passing "root" as a parameter in the URL pointing to a directory on the remote server.
Ol'Bookmarks relies on register_globals being On and that allows this hack to work.
This is a serious security issue and I'm still seeing requests on the server with a referrer header which suggest that someone is using Google to identify other Ol'Bookmarks servers to repeat the episode.
I strongly suggest everyone using Ol'Bookmarks take their servers offline or at least hide them from Google until this exploit is fixed!
Logged In: YES
user_id=123387
Originator: NO
You can set register_globals = OFF with olbookmarks since 0.7.4; by the way, OFF is the default for a while now.
Having it set to ON is a major security risk, not only for olbookmarks but also for lots of web applications (that do not double check every provided variable)
Logged In: YES
user_id=1322570
Originator: NO
This sounds like a major security bug. Will you change the code accordingly? Not everybody can change the settings of register_globals on shared webspace.
Logged In: YES
user_id=123387
Originator: NO
Code has been fixed in 0.7.5.
register_globals is a very bad idea anyway and is considered as being completely removed in future versions of PHP.