[geeklog-devel] PHP in Static Pages

Dirk Haun dirk at haun-online.de
Tue Jan 13 16:53:52 EST 2004

Previous message: [geeklog-devel] PHP in Static Pages
Next message: [geeklog-devel] PHP in Static Pages
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tony wrote:

>Then we would scan the static page db fields for any of those. Note you

>would have to be bit careful when doing this as you want to find

>instances of 'delete (' and 'delete(' not just 'delete'.

So we would also catch

echo "You can't use delete() in static pages.";

There may also be less-than-obvious ways to bury those "dangerous" PHP
statements in a static page and still have them executed.

>When any of

>those are encountered it should log the user and the page ID.

So the first thing to do when you hijack a static page is to delete the
error.log from it.

I guess a security audit of the plugin is in order, but, as I said
before, I don't think you can reliably catch all cases.

bye, Dirk

--
http://www.haun-online.de/
http://mypod.de/

Previous message: [geeklog-devel] PHP in Static Pages
Next message: [geeklog-devel] PHP in Static Pages
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the geeklog-devel mailing list