Re: [Full-disclosure] FWD: PhotoPost vBGallery ImportantSecurity Bulletin

[trains <trains@xxxxxxxxxxxxxx>]

Quoting php0t <php0t@xxxxxxxx>:

> From: "trains" <trains@xxxxxxxxxxxxxx>
>> The "AddType" statement for php is normally system-wide, which means
>> the web server will execute php scripts that may be found in the
>> upload directory.  This can be fixed multiple ways:
>
> They will just place an .htaccess and do addtype themselves.
> "php_admin_flag engine off" will probably render most of the issues you
> mentioned useless in one shot.

I had never heard of that flag before.  Nice.

http://us.php.net/manual/es/ref.apache.php

I don't think I like seeing php and apache being so tightly coupled,  
but I suppose we need to live in the real world, eh?

tr

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services@xxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/