[geeklog-devel] 1.5 Installer stuff

Tony Bibbs tony at tonybibbs.com
Fri Oct 12 10:51:55 EDT 2007


He's probably right, though, I think the risk is extremely low given most installations don't expose the language/ directory in the public web tree. I guess more to the point, where do you draw the line?  I mean think about it...*all* the .php files outside of the public_html as well as some inside the tree need to have this check (some of which I know already do).

The scenarios it would take to exploit this requires the ability to write to one of the files in the first place which can't really be put on GL.  Don't get me wrong, add the check since one of our claim to fames is security...I'm just not that concerned about it.

--Tony

----- Original Message ----
From: Joe Mucchiello <joe at ThrowingDice.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Sent: Friday, October 12, 2007 1:08:41 AM
Subject: Re: [geeklog-devel] 1.5 Installer stuff

At 11:06 PM 10/11/2007, Blaine Lang wrote:
>Joe Mucchiello wrote:
>>Example: 
>>http://example.com/geeklog/languages/english.php?_CONF[site_admin_url]=http://evil.com 
>>
>It  may be just late for me but I will ask the question anyways. 
>What vulnerability does the above create - as this is very different 
>then a remote file include vulnerbility. If someone wants to run 
>english.php and change $_CONF['site_admin_url'] - what are they 
>going to harm or see happen?

I don't claim there is a current vulnerability. I'm just saying that 
now there is the potential for code to run in language files. Today 
it's just a function call. Who knows what someone might be able to 
make that do at some point in the future. It doesn't hurt to add the 
"can't run this file" logic.

----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com 

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel






More information about the geeklog-devel mailing list