[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data
- To: Jasper Bryant-Greene <jasper@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data
- From: Tõnu Samuel <tonu@xxxxxx>
- Date: Wed, 29 Mar 2006 08:51:18 +0300
Jasper Bryant-Greene wrote:
My point is, can you think of a logical reason why html_entity_decode
would be run on user input? I'm sure some idiot is doing it (and
therefore this is a security issue, though not exactly critical), but
I don't think I can think of a reason why it would be done.
Why would you want to decode HTML entities given by a user? The
opposite (encode their input into HTML entities) is the usual approach...
Ok, this "critical" is my fault. Seeing memory dump of other user data
seems serious enough to me and I suspected it might affect different
functions despite this one. Now when we know more, I agree that it is
less critical than suspected by me. Still it is a problem and as subject
told: "if you are running web with sensitive data". Malicious user can
upload new script and see what others are doing. In most cases not so
critical as I assumed but still bad enough and I really expect to see
announcements for such problems faster and patches to come out (I mean
RPM-s this time). Right now my systems are unprotected till I start to
make packages myself or Novell is going to make one. Three weeks is too
much. And what about PHP 4.x and 5.0 users?
Tõnu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/