Beta 6 includes a security fix: earlier 1.3.0 beta
releases may be
vulnerable to a PHP inclusion attack if you have allow_url_fopen and
register_globals on (this is the default configuration in PHP 4.1.x, but
register_globals is off by default in 4.2.x and later).
Incidentally, a side note about this. From what I've read, you cannot
set allow_url_fopen by using ini_set - it's an admin value only. I
think I saw an attempt to turn this off in one of the source files.
Is this "just in case" sorta stuff?
--
Morbus Iff ( insert pithy quote here )
Technical:
http://www.oreillynet.com/pub/au/779
Culture:
http://www.disobey.com/ and
http://www.gamegrene.com/
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff /
jabber.org: morbus