PHP injection vulnerability?

Steve

PHP injection vulnerability?

Posted:27 Dec 2007 (19:04 UTC)
Is there any workaround for the recently discovered PHP injection
vulnerability reported here?
Anonymous

Re: PHP injection vulnerability?

Posted:28 Dec 2007 (08:16 UTC)
I read, "if comments are allowed, attackers can use this url /wiki/index.php?page_id=1#editcomments to POST evil scripts and PHP code into the page" - really? I thought HTMLPurifier takes care of this, which has been around since long before version 2?

The other thing, " White Screen of Death: (SQL Injection) - Critical information is listed o nthis page when you inject evil code" ... you can prevent that by setting IS_LIVE to true in kernel/config_inc.php for live servers.