[wp-hackers] Security alert for WP 1.5.1.3
Frederic de Villamil
fdevillamil at gmail.com
Wed Aug 10 13:54:22 GMT 2005
On Wed, 10 Aug 2005 08:41:12 -0500, Lorelle VanFossen wrote
> Me no expert, just passing on info.
>
> Security Issue: http://secunia.com/advisories/16386/
> WordPress Forum first post: http://wordpress.org/support/topic/41464
>
> DrBacchus says: Nobody should have register_globals enabled. Yes,
> it's icky and the bug should be fixed, but the responsibility also
> lies with the server admin. register_globals is the devil. relle
> DrBacchus: could a plugin turn on the globals? DrBacchus relle:
> it can be turned on in a .htaccess file, so, presumably a plugin
> could do that.
>
> Fix: In .htaccess add a line for php_flag register_globals off
>
> Lorelle
drBacchus is right, but in real life things aren't that simple.
A lot of companies use old PHP applications that needs registers globals to be
enabled, and a lot of PHP developpers are unaware of security issues. On the
other hand, a lot of webservers having register globals set to on won't allow
a vhost / website to use .htaccess.
The best is to patch the code for the next release to avoid
1/ stupid people to get owned because of our beloved application
2/ Wordpress become the next "bugtraq exploit of the day" every week like
phpNuke / gallery / phpBB / wu-ftpd are or used to be.
--
Frédéric de Villamil
Ce qui est à moi est à moi, ce qui est à toi ça se négocie. (proverbe motokiste)
http://www.eretzvaju.org
More information about the wp-hackers
mailing list