dpk wrote:
Having register_globals on with a bunch of 3pd add-ons is a big security risk from what I've read. Having it on period seems to have been frowned on for years. Is there any good reason to have it on?
Post edited by: dpk, at: 2006/08/12 05:45
There is
no
good reason or excuse to have it on.
It is a compatibility setting for very old PHP code.
Having it ON is just a
very large
security risk, proven those last weeks with the flow of Internet attacks on Joomla and its 3PD extensions (most succeeded only on sites with that setting to ON. 3PD components started getting attacked probably due to Joomla's raising popularity I guess...and also that Joomla itself got pretty secure by now).
Just switch php register_globals setting to OFF.
or ask your hoster to do it...like *now*.
If you then have very old code not working, just fix it, or update it (it might be worthwile anyway securitywise).
In the future, we will NOT treat vulnerabilities with php register_globals ON as critical ones, like we did it this time.
Even Joomla 1.5 will not allow to run it on such insecure systems.
I hope I made myself understood.
Post edited by: beat, at: 2006/08/12 17:49