Re: pMachine (PHP) : Include() Security Hole

[martin f krafft <madduck () madduck net>]

also sprach Frog Man <leseulfrog () hotmail com> [2003.06.14.1848 +0200]:
> This will work if register_globals is ON *OR* OFF.

Right, because:

>   while(list($var,$val)=each($HTTP_COOKIE_VARS))
>   while(list($var,$val)=each($HTTP_GET_VARS))
>   while(list($var,$val)=each($HTTP_POST_VARS))
>   while(list($var,$val)=each($HTTP_SERVER_VARS))

you are effectively "turning it on", so to speak.

> include ("{$pm_path}config$sfx");

then of course, sfx is going to be a variable, if it's passed into
the script via GET_VARS.

your mistake is using a variable that wasn't explicitly initialised.

other than that i fail to see why this is somethign special.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
 
keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html
get my key here: http://madduck.net/me/gpg/publickey
 
bill gates, 1984: "640 k ought be enough"
bill gates, 1995: "the internet is not a primary goal for pc usage"
bill gates, 1999: "linux has no impact on microsoft's strategy"

Attachment: _bin
Description: