[LWN Logo]
[LWN.net]
Date:         Mon, 26 Feb 2001 12:43:15 -0800
From: Joe <joe@blarg.net>
Subject:      Re: Yet another hole in PHP-Nuke
To: BUGTRAQ@SECURITYFOCUS.COM

On Sat, 24 Feb 2001, Joao Gouveia wrote:

> The same two tests aplied to an include($string)
> magic_quotes_gpc On, output: Warning: Failed opening 'tes\0t' for
> inclusion
> magic_quotes_gpc Off, output: Warning: Failed opening 'tes' for
> inclusion
> So, everything after the NULL was ignored.
>
> Of course, one that who uses magic_quotes_gpc turned on isn't expecting this
> kind of behaviour.

On a side note to other PHP developers, if your code is expecting Magic
Quotes to be on, then there's no reason for this particular problem as
Magic Quotes can be programatically controlled:

if( ! get_magic_quotes_gpc() ) {
    set_magic_quotes_runtime(1) or die("could not enable magic quotes");
}

Anyone using PHP should have this bit-o-code somewhere near the start of
program execution, since few servers are ever built with the same
features or options enabled it just makes sense to check for the stuff your
code needs - especially since magic quotes can help make exploiting a PHP
script much more difficult.

--
Joe                                     Technical Support
General Support:  support@blarg.net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net