[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: '$' signs in messages
On Sun, 19 Aug 2001 15:43:15 -0400
Thomas Reinke <reinke@e-softinc.com> wrote:
> If, as Earl said, you are doing something with PHP, and this is
> the root of your problem, you better be VERY careful. You have to
> make sure whatever page you archived cannot be tricked into being
> PHP executable (e.g. do not "include" or "require" the page).
This is not a concern. All message data ends up being shoved either
into here files or into variable assignments (see the URLs to the
RCs etc I posted a couple days ago). There is no PHP-executable
path to message contents.
> The security hole is this: someone can post a message to the
> newsgroup you are archiving, with PHP embedded code that will do
> things like read the password file and mailit to someone, and so
> on.
Yup, I'm well aware of the problem via other commonly used PHP-based
tools (not that its specific to PHP).
--
J C Lawrence )\._.,--....,'``.
---------(*) /, _.. \ _\ ;`._ ,.
claw@kanga.nu `._.-(,_..'--(,_..'`-.;.'
http://www.kanga.nu/~claw/ Oh Freddled Gruntbuggly
[Index of Archives]
[Bugtraq]
[Yosemite News]
[Mhonarc Home]