[VIM] work system e-commerce?
Steven M. Christey
coley at linus.mitre.org
Fri Nov 17 14:15:36 EST 2006
On Fri, 17 Nov 2006, str0ke wrote:
> global ${$varname};
> foreach (${$varname} as $key => $val) {
> global ${$key};
> ${$key} = $val;
> }
I refer to these as "dynamic variable evaluation" issues. We should see
more of these as programmers implement their own equivalent of
register_globals. See my Bugtraq post:
"Dynamic Evaluation Vulnerabilities in PHP applications"
http://seclists.org/bugtraq/2006/May/0051.html
I have some example detection strings in there.
So we have to investigate every preceding include/require to look for
these kinds of issues. Eval injection would also be suspect.
- Steve
More information about the VIM
mailing list