[Phpwebsite-security] Security patch

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Phpwebsite 0.10.x. has a security flaw.

You should download this small patch to correct it:
http://phpwebsite.appstate.edu/downloads/security/phpws_patch_20060419.tgz

We would like to thank user retrogod for bring it to our attention.
Normally, I would review the patch with the submitter, but the issue is
public. It is better to go ahead and make the patch available.

We were unable to test the issue with register_globals = 0. Having
register globals active seems to be a condition of it working.

The patch tries to ini_set the register global variable to 0. It also
parses a directory address for characters that are not alphanumeric,
underlines, slashes, or periods.

This patch has been tested successfully with branch sites and their hub.
Of course if there are any problems or deficiencies with the patch, we
will update it immediately.

-- 
Matthew McNaney
Electronic Student Services
Appalachian State University
http://phpwebsite.appstate.edu