Description: ------------ As per Secunia-advisory at http://secunia.com/advisories/22522/ there exists a (theoretical?) vulnerability in Net_DNS, even in the latest version (CVS). The variable is set in the main library-file Net/DNS.php to "Net_". But if it is somehow possible for an attacker to access RR.php directly and in case register_globals is on this can lead to arbitary file inclusion (since $phpdns_basedir is used in require_once-statements). Expected result: ---------------- No inclusion of arbitrary files :-) Actual result: -------------- Inclusion possible under certain (special) conditions.

Would it be fine to "hardcode" Net_ instead of using $phpdns_basedir? I think that's done this way in most other packages as well.

This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.