[wp-hackers] Sql injection admin hash disclosure exploit for
mark.wordpress at txfx.net
Thu Jan 11 16:57:19 GMT 2007
On Jan 11, 2007, at 3:13 AM, Roland Häder wrote:
> I suppose "register_globals on" *is* the security hole? ;) If your
> application requires register_globals turned on, then please
> rewrite by your own (if allowed by the included license) or search
> for an alternative. "register_globals on" is bad (in combination
> with other PHP options a nightmare).
WordPress has never required register_gloabls to be turned on. We
hate register globals. :-) We have code in WordPress that
unregisters global variables. The bug was a PHP bug that makes use
of unset() to de-register variables unsafe. I found a workaround.
Covered Web Services
More information about the wp-hackers