Google, Yahoo and AOL to identify exploitable Web pages written in PHP that use the functions "include()" and "require()" in an insecure manner, K-OTik said.
Exactly how is a worm going to know if I have include($crap) in my code by searching google? Is it searching source code on sourceforge or something? Is it targetting certain applications again? If so, why not tell us which ones so we can remove them until a fix is in place. Does anyone have any more details on this "new" worm?
Eliminating the security flaws exploited by the newer versions of Santy involves no new tricks, and is simply a matter of applying long-known sound programming principles.
That sums it up exactly. Poor programmers incorrectly using include() and require() will probably never go away. I could write the exact same article for any other web scripting language. So what's the point here? Nothing I've seen details how this worm is targetting my web server...
Is this just more FUD against PHP? How many bosses are now going demand PHP be disabled or not installed on company machines because of all these "vulnerabilities" when it's really just poor programming like it's always been?
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php