Bugtraq mailing list archives

Re: Squirrelmail local file inclusion

From: pauls () utdallas edu
Date: Tue, 06 Jun 2006 20:05:18 -0500

--On June 6, 2006 4:32:02 PM -0400 "Steven M. Christey" <coley () mitre org>wrote:


Yet know we're getting "security advisories" warning, hey, if you
change the defaults and ignore all the warnings, you too can write
insecure code!


In this sense, I agree.  Default configuration is one thing, but
active negligence is another.

That said, Squirrelmail apparently thinks this issue is important
enough to release an advisory:

 http://www.squirrelmail.org/security/issue/2006-06-01

So maybe they know more about the implications on their consumers than
we do.

Did you look at the patch?

It's almost 40 lines of code designed to *force* register_globals to "off"no matter what the idiot behind the wheel does.

I understand that there are many shared hosting sites that haveregister_globals set to "on". IMNSHO opinion they are putting theircustomers at risk unnecessarily. The default setting should be "off", andif someone needs it turned on in the application they're using, they canturn it on there and assume the risk themselves.

It wouldn't take much for web hosting companies to educate their users. Afew lines of advice on a webpage would suffice. For example, for Apacheusers, you can set the php_flag register_globals on/off in a VirtualHostcontext (inside <Directory>.) So the hosting company can enable it onrequest but use the proper default setting for most sites.

Or the individual webmasters can set php_register_globals = [on|off] in a.htaccess file (Apache 1.3.x only!) or php_value register_globals [0|1](Apache 2.x only!) if they don't like the default setting the hostingcompany uses. Or they can simply include a file with the setting in it andadd an include statement to the code of the app.

I'm sure there are other methods that could be used as well. Since thereare many options available, the default should be secure.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: _bin
Description:

Current thread:

Squirrelmail local file inclusion brokejunker (Jun 01)
- Re: Squirrelmail local file inclusion Paul Schmehl (Jun 02)
- <Possible follow-ups>
- Re: Squirrelmail local file inclusion Steven M. Christey (Jun 06)
  - Re: Squirrelmail local file inclusion pauls (Jun 07)