Date index for Nov 2003

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [achievo] Security Hole - Is this fixed

To: Date: Thu, 06 Nov 2003 12:26:09 +0100

Delivered-to: mailing list achievo dot

Hi,

Chris Cameron wrote:

The bulletin says that the hole was fixed in 0.82, but doesn't atk/javascript/class.atkdateattribute.js.inc still include the same bug? Or is it not possible for a web server to directly execute this file the way that the security bulletin describes?

No, if the extension is not .php, the webserver does not execute the file if you directly browse it.

Furthermore, Achievo (1.0.RC1 or higher) is now compatible with register_globals=Off. If you turn this setting to off in php.ini, Achievo is invulnerable to the described exploit.

Greetings,
Ivo

References:

Security Hole - Is this fixed
From: Chris Cameron

Prev by Date: Re: [achievo] release date
Next by Date: Svar: Re: [achievo] release date
Previous by thread: Security Hole - Is this fixed
Next by thread: release date
Index(es):
- Date
- Thread

http://www.achievo.org/lists