27 Aug
2010
27 Aug
'10
11:27 p.m.
On 08/26/2010 03:29 AM, Keith Roberts wrote:
register_globals is supposed to be off by default - so that should stop any global variables being injected.
Doesn't matter. The vulnerability discussed is one where a PHP application actually takes the name of a file as input from the client. If your application does that and does not sanitize the path then it ends up vulnerable to code injection from the user.