[geeks] PHP and Variable Scoping
Jonathan C. Patschke
jp at celestrion.net
Sat Dec 20 03:25:22 CST 2003
Here is an article that explains exactly -why- those of you (and me)
running PHP should upgrade to a version that enforces variable scoping
as soon as possible:
http://www.securityfocus.com/guest/24043
Synopsis: Webserver was turned into a spamhaus WITHOUT being r00ted.
The exploit used knowledge of how Gallery and a few other PHP web apps
work and used the fact that you can override globally-scoped variables
in most versions of PHP by passing an CGI variable clause as part of the
request.
Don't think those of you running non-x86 machines are immune from this.
That binary "httpd" could've been a perl script just as easily.
--
Jonathan Patschke ) "Earth works. That's proof positive that Mother
Elgin, TX ( Nature isn't a suit." --Dave McGuire
More information about the geeks
mailing list