[phplib-dev] cvs commit From: chrisj (phplib-dev <email protected>)
Date: 04/05/01

From: chrisj
Date: Thu Apr 5 18:16:25 2001
Removed files:
      German/TODO

Modified files:
      German/FAQ
      German/FAQ
      German/TODO
      php-lib-stable/TODO

Log message:

Add prepend.php3 security problem bug.

Index: php-lib-stable/TODO
diff -u php-lib-stable/TODO:1.4 php-lib-stable/TODO:1.5
--- php-lib-stable/TODO:1.4 Tue Apr 3 16:34:34 2001
+++ php-lib-stable/TODO Thu Apr 5 18:16:25 2001
@@ -1,5 +1,5 @@
 
-$Id: TODO,v 1.4 2001/04/03 14:34:34 chrisj Exp $
+$Id: TODO,v 1.5 2001/04/05 16:16:25 chrisj Exp $
 
 Things To Do for Release 7.2d:
 
@@ -18,6 +18,20 @@
    places.
 
 *) db_mssql.inc, line 126 -- uses mssql_affected_rows(), which does not exist in PHP.
+
+*) prepend.php3 -- security problem as described below:
+ There appears to be a security hole in the PHPLib prepend.php3 file by
+ default. There is a section where $_PHPLIB['libdir'] is set if it is not
+ already set. This allows somebody to pass a value for the variable with the
+ GET if register globals is set. If php is set to allow url's with fopen
+ (which is the default) it is possible to supply your own include files to
+ PHPLib. You can pretty much run anything you want. Am I missing something?
+ How is this variable expected to be set prior to encountering prepend.php3?
+ The documentaion only mentions this variable in passing, mostly just to say
+ that the name is used. It is possible to bypass this problem just by
+ explicitly setting the variable in prepend.php3, so it's easy to fix. I
+ would appreciate any information on this you can give me. William Stockall.
+
 
 *) Others as they are found, reported or documented.
 

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-dev-unsubscribe <email protected>
For additional commands, e-mail: phplib-dev-help <email protected>