oss-sec mailing list archives
Re: CVE request phpmyadmin (Fwd: XSS in phpMyadmin)
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 28 Oct 2008 10:50:17 +0200
Am Dienstag 28 Oktober 2008 schrieb Thijs Kinkhorst:
Do we still call things that require register_globals to be on a 'vulnerability'? Register_globals has been advertised (including in the PHP documentation of that option) as a very bad idea for many years now, it's turned off by default since years aswell. Turning it on could be considered as knowingly taking the risk on a certain class of exploits. At least Debian doesn't provide any security support for these issues.
I'd think this is okay as a policy for a distribution and agree that it's a very bad idea to enable register_globals these days (afaik it should go away in php6 anyway). But anyway a register_globals issue most likely leads to at least some bad programming practise (using uninitalized variables), I think it's okay to still track them. And beside, would be worth a check but I am pretty sure there are still lot's of webhosters out there having it enabled. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno () hboeck de http://x1000malquer.de/ - ab 8.11. Atomtransporte stoppen
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE request phpmyadmin (Fwd: XSS in phpMyadmin) Hanno Böck (Oct 27)
- Re: CVE request phpmyadmin (Fwd: XSS in phpMyadmin) Thijs Kinkhorst (Oct 28)
- Re: CVE request phpmyadmin (Fwd: XSS in phpMyadmin) Hanno Böck (Oct 28)
- Re: CVE request phpmyadmin (Fwd: XSS in phpMyadmin) Steven M. Christey (Oct 28)
- Re: CVE request phpmyadmin (Fwd: XSS in phpMyadmin) Hanno Böck (Oct 29)
- Re: CVE request phpmyadmin (Fwd: XSS in phpMyadmin) Thijs Kinkhorst (Oct 28)