[wp-hackers] Sql injection admin hash disclosure exploit for
wp-trackback.php
Mark Jaquith
mark.wordpress at txfx.net
Thu Jan 11 16:57:19 GMT 2007
On Jan 11, 2007, at 3:13 AM, Roland Häder wrote:
> I suppose "register_globals on" *is* the security hole? ;) If your
> application requires register_globals turned on, then please
> rewrite by your own (if allowed by the included license) or search
> for an alternative. "register_globals on" is bad (in combination
> with other PHP options a nightmare).
WordPress has never required register_gloabls to be turned on. We
hate register globals. :-) We have code in WordPress that
unregisters global variables. The bug was a PHP bug that makes use
of unset() to de-register variables unsafe. I found a workaround.
--
Mark Jaquith
http://markjaquith.com/
Covered Web Services
http://covered.be/
More information about the wp-hackers
mailing list