Talk:Itheora

I removed template:free software, as this article is about an individual piece of software which happens to be free, not the free software movement itself. boffy_b 15:37, 10 March 2007 (UTC)

Notability (and security)
I don't think this is notable. Other than that, I think it has some major security holes. For example the link the script makes to the download script looks like this: http://example.com/itheora/lib/download.php?url=/itheora/data/video.ogg

This means that if one just changed the path in the "url" parameter to something else, one could fetch any file on the filesystem of the server (I've tried it!). You could for example get the source code of any PHP script.

Other than that, this script doesn't work on servers without $_SERVER["DOCUMENT_ROOT"], and furthermore it doesn't handle errors correctly, so you have to insert something like "error_reporting(0);".

--Ysangkok (talk) 22:42, 9 January 2008 (UTC)


 * Here's a URL proving the explorit and thereby revealing the source code and thereby proving it again: http://menguy.aymeric.free.fr/itheora/lib/download.php?url=/itheora/lib/download.php --Ysangkok (talk) 22:47, 9 January 2008 (UTC)


 * Hehehe. Looks like the security problem was fixed in 1.0rc2. I was mentioned on SecurityFocus: . :) This page is referenced from there. --Ysangkok (talk) 19:34, 16 August 2009 (UTC)