[documentation] PHP snippets (once again)
Heine Deelstra
info at ustilago.org
Sun May 7 14:26:45 UTC 2006
Dear doc team,
I looked at several snippets yesterday and to my horror many of them
contain *obvious*, major security holes. I've spoken with the leader of
the security team (chx) and we agreed to unpublish all obviously insecure
snippets, then have a discussion based on numbers (ok vs. not ok) and how
to proceed.
In the limited sample set I've reviewed until now > 50% of the snippets
either
- bypass 'access' security (sometimes titles, sometimes full nodes)
- allow XSS
- allow SQL injection
- allow a combination of the above
Regards,
Heine
PS Should we decide to continue with php snippets in this way, I'll also
be the one to publish them again :(
More information about the documentation
mailing list