Ashar Voultoiz <hashar@...
<http://gmane.org/get-address.php?address=hashar%2dwhniv8GeeGkdnm%2byROfE0A%…>>
wrote
Thomas Gries wrote:
> To whom it may concern:
> PHP File-Upload $GLOBALS Overwrite Vulnerability
> http://www.hardened-php.net/advisory_202005.79.html
> $GLOBAL Overwrite and it's Consequences:
> http://www.hardened-php.net/index.76.html
We dont use register_globals on WikiMedia website, i think most php
packages now ship with register_globals to off and anyone still using it
should recode their scripts :)
Ashar,
thank you for quick reply.
However, the above references describe a severe problem even for the case, that register_globals _is_ off.
The UPLOAD function has the flaw (pls. carefully study the both resources), which can cause a glitch in the PHP internal setting for register_globals.
I recommend the MediaWiki developers study the both references for consequences.
Tom