PHPDeveloper: PHP News, Views and Community

Subscribe

@phpdeveloper.org

News Archive

Community News: Latest PECL Releases (09.10.2024)

Community News: Latest PECL Releases (09.03.2024)

Community News: Latest PECL Releases (08.27.2024)

Community News: Latest PECL Releases (08.20.2024)

Community News: Latest PECL Releases (08.13.2024)

Community News: Latest PECL Releases (08.06.2024)

Community News: Latest PECL Releases (07.30.2024)

Community News: Latest PECL Releases (07.23.2024)

Community News: Latest PECL Releases (07.16.2024)

Community News: Latest PECL Releases (07.09.2024)

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Hardened-PHP Project:
Advisory - PHProjekt (Remote) Include Vulnerabilities

byChris Cornutt Sep 29, 2006 @ 15:01:00

The Hardened-PHP Project has released a new vulnerability for the PHProjekt groupware software.

While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look into the current PHProjekt source code and discovered that a (remote) include vulnerability had been (re)introduced.

By overwriting a variable with user input it is possible to inject and execute arbitrary PHP code. Overwriting this variable is possible regardless of the register_globals setting.

They give a few more details further down the posting and note that users should download and install the latest version (at the time of this post, 5.1.2).