[geeklog-devel] PHP in Static Pages

Dirk Haun dirk at haun-online.de
Tue Jan 13 16:53:52 EST 2004

Tony wrote:

>Then we would scan the static page db fields for any of those. Note you 
>would have to be bit careful when doing this as you want to find 
>instances of 'delete (' and 'delete(' not just 'delete'.

So we would also catch

    echo "You can't use delete() in static pages.";

There may also be less-than-obvious ways to bury those "dangerous" PHP
statements in a static page and still have them executed.

>When any of 
>those are encountered it should log the user and the page ID.

So the first thing to do when you hijack a static page is to delete the
error.log from it.

I guess a security audit of the plugin is in order, but, as I said
before, I don't think you can reliably catch all cases.

bye, Dirk


More information about the geeklog-devel mailing list