[Mediawiki-l] MediaWiki 1.3.0beta6 released
Morbus Iff
morbus at disobey.com
Fri Aug 6 23:13:27 UTC 2004
>Beta 6 includes a security fix: earlier 1.3.0 beta releases may be
>vulnerable to a PHP inclusion attack if you have allow_url_fopen and
>register_globals on (this is the default configuration in PHP 4.1.x, but
>register_globals is off by default in 4.2.x and later).
Incidentally, a side note about this. From what I've read, you cannot
set allow_url_fopen by using ini_set - it's an admin value only. I
think I saw an attempt to turn this off in one of the source files.
Is this "just in case" sorta stuff?
--
Morbus Iff ( insert pithy quote here )
Technical: http://www.oreillynet.com/pub/au/779
Culture: http://www.disobey.com/ and http://www.gamegrene.com/
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus
More information about the MediaWiki-l
mailing list