Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke v7.3 and earlier

[Squid <squidsecurity () hushmail com>]

In-Reply-To: <20040605125033.11956.qmail () www securityfocus com>

> Using eregi is NOT the problem. The problem is the usage of $_SERVER['PHP_SELF'] which can't handle URL requests which 
> have a slash ('/') as their first character in the query_string and thinks this is part of it's path. Using 
> SCRIPT_NAME is much safer...

I reported their use of eregi() WITH the NOT logical operator AGAINST $_SERVER['PHP_SELF'] is the problem not eregi() 
by itself  

I agree using $_SERVER['SCRIPT_NAME'] is one way to fix it IF this element is available on the server.  Since the 
manual says, "you may or may not find any of the following elements in $_SERVER," IMO it's safer to secure a file by 
checking whether a CONSTANT, which is defined in the calling script, exists in the called one.