Ashar Voultoiz <hashar@... http://gmane.org/get-address.php?address=hashar%2dwhniv8GeeGkdnm%2byROfE0A%40public.gmane.org> wrote

Thomas Gries wrote:

To whom it may concern: PHP File-Upload $GLOBALS Overwrite Vulnerability http://www.hardened-php.net/advisory_202005.79.html $GLOBAL Overwrite and it's Consequences: http://www.hardened-php.net/index.76.html

We dont use register_globals on WikiMedia website, i think most php packages now ship with register_globals to off and anyone still using it should recode their scripts :)

Ashar, thank you for quick reply.

However, the above references describe a severe problem even for the case, that register_globals _is_ off. The UPLOAD function has the flaw (pls. carefully study the both resources), which can cause a glitch in the PHP internal setting for register_globals.

I recommend the MediaWiki developers study the both references for consequences. Tom