The art of closing security holes

Tuesday, October 18. 2005

Today Secunia has released an advisory about multiple XSS and include vulnerabilities in MySource 2.14.0. While this is not suprising, because MySource is just one more badly written PHP application, I was rolling on the floor after reading their solution.

The vendor has fixed the vulnerabilities in version 2.14.2 by warning 
the user during the installation process about the security risks of 
placing MySource script files in a publicly available folder and 
having "register_globals" enabled.

After a quick look into their installer, there is indeed a warning message saying:

It is important that the MySource path is *not* in a web-accessible 
location, as it poses a security risk. The 'register_globals' line 
in your PHP configuration (which can usually be found in /etc/php.ini)
must be set to 'Off' in order to provide greater security when handling
user-supplied input. An example ...

Of course they fail to mention that even if you have only the files they are speaking of in the document root directory, you are still vulnerable to the include vulnerabilities as long you do not switch off register_globals.

Well I just wonder how they will fix the code execution vulnerabilities that do not need register_globals turned on, if someone reports those to them...

Posted by Stefan Esser in Security, PHP at 19:17

Comment (1)

Link to this post

Comments

Display comments as (Linear | Threaded)

#1 Mike Willbanks wrote (Link) ()

That is a pretty funny solution. Why not use a .htaccess for apache to turn it off and use a script to combat the register globals? Does the vendor of MySource even know about that

Most security holes are extremely easy to close, why is it so hard for people to understand and stop neglecting security when all of the information is right there at your finger tips?

Mike

posted on Tuesday, October 18. 2005

Add Comment

Calendar