[geeklog-devel] PHP in Static Pages
Dirk Haun
dirk at haun-online.de
Tue Jan 13 16:53:52 EST 2004
Tony wrote:
>Then we would scan the static page db fields for any of those. Note you
>would have to be bit careful when doing this as you want to find
>instances of 'delete (' and 'delete(' not just 'delete'.
So we would also catch
echo "You can't use delete() in static pages.";
There may also be less-than-obvious ways to bury those "dangerous" PHP
statements in a static page and still have them executed.
>When any of
>those are encountered it should log the user and the page ID.
So the first thing to do when you hijack a static page is to delete the
error.log from it.
I guess a security audit of the plugin is in order, but, as I said
before, I don't think you can reliably catch all cases.
bye, Dirk
--
http://www.haun-online.de/
http://mypod.de/
More information about the geeklog-devel
mailing list