Security Release - CB 1.0.1 - RELEASED!
beat
17 years 9 months ago #18709
by beat
Beat - Community Builder Team Member
Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info
Replied by beat on topic Re:Security Release - CB 1.0.1 - RELEASED!
dpk wrote:
There is no good reason or excuse to have it on.
It is a compatibility setting for very old PHP code.
Having it ON is just a very large security risk, proven those last weeks with the flow of Internet attacks on Joomla and its 3PD extensions (most succeeded only on sites with that setting to ON. 3PD components started getting attacked probably due to Joomla's raising popularity I guess...and also that Joomla itself got pretty secure by now).
Just switch php register_globals setting to OFF.
or ask your hoster to do it...like *now*.
If you then have very old code not working, just fix it, or update it (it might be worthwile anyway securitywise).
In the future, we will NOT treat vulnerabilities with php register_globals ON as critical ones, like we did it this time.
Even Joomla 1.5 will not allow to run it on such insecure systems.
I hope I made myself understood.
Post edited by: beat, at: 2006/08/12 17:49
Having register_globals on with a bunch of 3pd add-ons is a big security risk from what I've read. Having it on period seems to have been frowned on for years. Is there any good reason to have it on?
Post edited by: dpk, at: 2006/08/12 05:45
There is no good reason or excuse to have it on.
It is a compatibility setting for very old PHP code.
Having it ON is just a very large security risk, proven those last weeks with the flow of Internet attacks on Joomla and its 3PD extensions (most succeeded only on sites with that setting to ON. 3PD components started getting attacked probably due to Joomla's raising popularity I guess...and also that Joomla itself got pretty secure by now).
Just switch php register_globals setting to OFF.
or ask your hoster to do it...like *now*.
If you then have very old code not working, just fix it, or update it (it might be worthwile anyway securitywise).
In the future, we will NOT treat vulnerabilities with php register_globals ON as critical ones, like we did it this time.
Even Joomla 1.5 will not allow to run it on such insecure systems.
I hope I made myself understood.
Post edited by: beat, at: 2006/08/12 17:49
Beat - Community Builder Team Member
Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info
Please Log in to join the conversation.
Moderators: beat, nant, krileon
Time to create page: 0.263 seconds
