[pmwiki-users] pmwiki exploit

Patrick R. Michaud pmichaud at pobox.com
Tue Sep 5 09:25:59 CDT 2006


On Wed, Sep 06, 2006 at 12:38:59AM +1200, Robin Sheat wrote:
> On Wednesday 06 September 2006 00:17, Nils Knappmeier wrote:
> > I verified it, and it really works.
> Of course, most people should have register_globals=off in their php.ini file, 
> which will prevent this happening at all. If you don't, now is a good time to 
> check if you can happily run with it off. Many PHP application exploits 
> require it to be 'on' to be effective.

If you don't have privileges to adjust the php.ini file directly,
you might try adjusting it in .htaccess:

    php_flag register_globals off

One can use ?action=phpinfo (with $EnableDiag = 1 set) to 
determine if register_globals is indeed set to 'off'.

Pm




More information about the pmwiki-users mailing list