On Sat, 14 Jul 2001, giancarlo pinerolo wrote:

>  Gosh
>  with regards to this paper, named PHP Security Paper (a study in
>  scarlet)...
> 
>  http://www.securereality.com.au/studyinscarlet.txt
> 
>  I always thought _PHPLIB was a defined constant, now I realize it is an
>  array
>  try this script please, which can override the $_PHPLIB[libdir] value.
> 
>  in the third input field, which overrides _PHPLIB[libdir], type '/tmp/',
>  and it will include a file named 'test' there
> 
>  Giancarlo

[snip scripts]

This is becasue $_PHPLIB['libdir'] is only initalized if it isn't present.
Simply remvove the if(!(is_array($_PHPLIB)) { call and it will be better.
If you don't use this functionality in prepend.php3 (eg: you have phplib
in PHP's include_path) then simply define $_PHPLIB['libdir'] as a a NULL
or empty string.

Better yet, enable track_vars and disable register_globals for php, and
this won't be a problem, becasue your user input will be located in
$HTTP_GET_VARS['_PHPLIB'['libdir']] not in the global environment

-n
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
nathan hruby / digital statement
nathan@[...].com
http://www.dstatement.com/

Public GPG key can be found at:
http://www.dstatement.com/nathan-gpg-key.txt
ED54 9A5E 132D BD01 9103  EEF3 E1B9 4738 EC90 801B
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-






-- 
Abbestellen mit Mail an:   phplib-unsubscribe@[...].de
Kommandoliste mit Mail an: phplib-help@lists.netuse.de