[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1

Garvin Hicking phpmyadmin at supergarv.de
Tue Nov 22 03:33:02 CET 2005


>> But then such a file should not be included in the release, or at least
>> renamed to "test.php.txt" so that it can only be executed after being renamed?
> why? the lang scripts are not renamed too from .sh to .sh.txt ... and don't make
> it too hard for theme developers - probably they are not techies

.sh scripts cannot be executed through HTTP. .php Scripts can.

>> Why did Michal then fix this a day ago?
> i don't know, i mean it is not wrong to escape this value, but it is not really
> necessary, you can not reach the host you want if you add XSS code to the host
> in the http header ... IMHO!

That depends on the Apache setup. If you use HTTP 1.0 you can specify the Host:
Header with any content you like. Plus you might be able to pass $HTTP_HOST as a
register_global variable.


++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

More information about the Developers mailing list