[geeklog-devel] 1.5 Installer stuff

Joe Mucchiello joe at ThrowingDice.com
Fri Oct 12 02:08:41 EDT 2007

At 11:06 PM 10/11/2007, Blaine Lang wrote:
>Joe Mucchiello wrote:
>It  may be just late for me but I will ask the question anyways. 
>What vulnerability does the above create - as this is very different 
>then a remote file include vulnerbility. If someone wants to run 
>english.php and change $_CONF['site_admin_url'] - what are they 
>going to harm or see happen?

I don't claim there is a current vulnerability. I'm just saying that 
now there is the potential for code to run in language files. Today 
it's just a function call. Who knows what someone might be able to 
make that do at some point in the future. It doesn't hurt to add the 
"can't run this file" logic.

Joe Mucchiello
Throwing Dice Games

More information about the geeklog-devel mailing list