Bugtraq mailing list archives
Arbitrary code inclusion in phpShop
From: "Calum Power" <enune () hush ai>
Date: Sun, 9 May 2004 00:14:11 -0700
A vulnerability has been discovered in the popular E-Commerce package 'phpShop'. The vulnerability's details are available in the attached advisory, or at http://www.fribble.net/advisories/phpshop_29-04-04.txt Due to the nature of this vulnerability, I notified the lead programmer for this package over a week ago, and no reply or patch has yet been released. Once again, this unfortunately another PHP package falling victim to the 'register globals substitution' vulnerability that many other high- profile packages have had (phpNuke, phpBB, just to name a couple). When will people learn that replacing one bad configuration error with a (even worse!) programming one is NOT the way to migrate into new versions of PHP. Regards, Calum Power - Cultural Jammer - Security Enthusiast - Hopeless Cynic enune () hush ai http://www.fribble.net
Attachment:
phpshop_29-04-04.txt
Description:
Current thread:
- Arbitrary code inclusion in phpShop Calum Power (May 10)