On Sun, 19 Aug 2001 15:43:15 -0400
Thomas Reinke <reinke(_at_)e-softinc(_dot_)com> wrote:
If, as Earl said, you are doing something with PHP, and this is
the root of your problem, you better be VERY careful. You have to
make sure whatever page you archived cannot be tricked into being
PHP executable (e.g. do not "include" or "require" the page).
This is not a concern. All message data ends up being shoved either
into here files or into variable assignments (see the URLs to the
RCs etc I posted a couple days ago). There is no PHP-executable
path to message contents.
The security hole is this: someone can post a message to the
newsgroup you are archiving, with PHP embedded code that will do
things like read the password file and mailit to someone, and so
on.
Yup, I'm well aware of the problem via other commonly used PHP-based
tools (not that its specific to PHP).
--
J C Lawrence )\._.,--....,'``.
---------(*) /, _.. \ _\ ;`._ ,.
claw(_at_)kanga(_dot_)nu
`._.-(,_..'--(,_..'`-.;.'
http://www.kanga.nu/~claw/ Oh Freddled Gruntbuggly
