[geeklog-devel] 1.5 Installer stuff

Joe Mucchiello joe at ThrowingDice.com
Thu Oct 11 22:41:31 EDT 2007


There's a bunch security vulnerabilities from older version of 
Geeklog where you could take over the site using php files that are 
not intended as URL target combined with register_globals on. So 
yeah, the language files should also probably have them too.

At 09:45 PM 10/11/2007, Oliver Spiesshofer wrote:
>Oliver Spiesshofer wrote:
>>Joe Mucchiello wrote:
>>>I put a / in the database prefix (by mistake) and received a 
>>>cryptic database error. That field should be validated.
>>>
>>>
>>>siteconfig.php needs the
>>>
>>>if (strpos ($_SERVER['PHP_SELF'], 'siteconfig.php') !== false) {
>>>     die ('This file can not be used on its own!');
>>>}
>>>
>>>or a
>>>
>>>    header('location: index.php');
>>noted.
>taking a look at it now.... why? Should we do it with all the 
>languages files then also?
>
>Oliver
>_______________________________________________
>geeklog-devel mailing list
>geeklog-devel at lists.geeklog.net
>http://eight.pairlist.net/mailman/listinfo/geeklog-devel

----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com 




More information about the geeklog-devel mailing list