[geeklog-devel] 1.5 Installer stuff

Joe Mucchiello joe at ThrowingDice.com
Thu Oct 11 22:57:04 EDT 2007

Do you remember this checkin a couple days ago? Language files 
sometimes execute code. And thus are vulnerable when register_global 
is on (and the language directory is in the webroot).

--- 1162,1167 ----
       89 => 'Unable to find an OpenID server for the given identity URL.',
       90 => 'OpenID identification cancelled.',
!     91 => 'You specified an invalid identity URL.',
!     92 => 'Please ' . COM_createLink('check the security of your 
site', $_CONF['site_admin_url'] . '/sectest.php') . ' before using it!'



At 10:45 PM 10/11/2007, Oliver Spiesshofer wrote:
>I always assumed that this problem is only there with files that 
>have actual code in them and not only variables.
>given that this file has some system variables it might be a problem 
>here, but I am not sure with the language files.
>Joe Mucchiello wrote:
>>There's a bunch security vulnerabilities from older version of 
>>Geeklog where you could take over the site using php files that are 
>>not intended as URL target combined with register_globals on. So 
>>yeah, the language files should also probably have them too.
>>At 09:45 PM 10/11/2007, Oliver Spiesshofer wrote:
>>>Oliver Spiesshofer wrote:
>>>>Joe Mucchiello wrote:
>>>>>I put a / in the database prefix (by mistake) and received a 
>>>>>cryptic database error. That field should be validated.
>>>>>siteconfig.php needs the
>>>>>if (strpos ($_SERVER['PHP_SELF'], 'siteconfig.php') !== false) {
>>>>>     die ('This file can not be used on its own!');
>>>>>or a
>>>>>    header('location: index.php');
>>>taking a look at it now.... why? Should we do it with all the 
>>>languages files then also?
>>>geeklog-devel mailing list
>>>geeklog-devel at lists.geeklog.net
>>Joe Mucchiello
>>Throwing Dice Games
>>geeklog-devel mailing list
>>geeklog-devel at lists.geeklog.net
>geeklog-devel mailing list
>geeklog-devel at lists.geeklog.net

Joe Mucchiello
Throwing Dice Games

More information about the geeklog-devel mailing list