What I am trying to say is the exploit was always their. So day zero is an excuse for writing bad code? check this link out it might help you out understanding what I mean http://www.onlamp.com/pub/a/php/2003/03 ... urity.html. Yeah 2003 so does that make the exploit day zero. I don't think so. I am LMFAO because a day zero excuse is a bad excuse for bad coding practices. Look at the exploit.
Code: Select all
Code Snippet:
/lists/admin.php #line:10-18
if (!ini_get("register_globals") || ini_get("register_globals") == "off") {
# fix register globals, for now, should be phased out gradually
# sure, this gets around the entire reason that regLANGUAGE_SWITCHister globals
# should be off, but going through three years of code takes a long time....
foreach ($_REQUEST as $key => $val) {
$$key = $val;
}
}
/lists/admin.php #line:41-56
if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
include $_SERVER["ConfigFile"];
} elseif (isset($cline["c"]) && is_file($cline["c"])) {
print '<!-- using '.$cline["c"].' -->'."\n";
include $cline["c"];
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
# print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
include $_ENV["CONFIG"];
} elseif (is_file("../config/config.php")) {
print '<!-- using ../config/config.php -->'."\n";
include "../config/config.php";
} else {
print "Error, cannot find config file\n";
exit;
}
Please don't defend people for not checking code they use on their websites.