From: David Schwartz (davidswebmaster.com)
Date: Thu Aug 03 2006 - 20:20:29 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> *sigh*
> Another one of those.
>
> Solution:
> Set PHP to register_globals = off
>
> At a *very* brief glance at SimpleCMS it looks as if it should run with
> register_globals = off as it's using $_GET and $_POST to access
> parameters.
>
> Thus it is not even a SimpleCMS-induced bug (as in: requires that
> setting) in the PHP configuration, but simply plain ignorance or
> stupidity of the webserver admin.

        If it would be possible for SimpleCMS to check if the URL contained the
offending setting or confirm that a register globals was off or on, then the
problem is in SimpleCMS. If a simple setting can destroy all of your
security, you must check that setting. (Even more so if it's the absence of
a setting.) Basic common sense.

        If a car was shipped in the "blows up after a week" mode and the dealer had
to flip a switch to get it out of that mode, the car would definitely be
considered defective, not the dealer who failed to flip the switch. We don't
design cars that way because it's obvious that sooner or later a dealer will
forget to flip a switch and a car will blow up.

        DS

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]