m0nty wrote:
u can set register globals off by using .htaccess
there's many threads and topics in these forums on how to do that ;)
but yes, it does mean that if magic_quotes GPC is ON then this exploit will not work :)
try
php_value allow_url_fopen off
php_flag register_globals off
and install XOOPS protector module too..
incidentally, it's been said for many years that programmers should write their code properly so that their scripts work with register globals turned off not just for security but for better programming technique. system administrators really oughta by now, disable register globals on all their servers..
In a perfect world sure, but sadly there are MANY popular modules that require RG turned on.
Only reason I have it turned on is due to it would disable a couple of my modules.