Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

From: Florian Weimer (fw_at_deneb.enyo.de)
Date: 10/31/05

  • Next message: James Eaton-Lee: "RE: [Full-disclosure] Security, Hacking & Social Engineering Presentation."
    To: Stefan Esser <sesser@hardened-php.net>
    Date: Mon, 31 Oct 2005 21:04:27 +0100
    
    

    * Stefan Esser:

    > http://viewcvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c.diff?r1=1.245.2.2&r2=1.245.2.3
    >
    > I hope this is enough to convince you... (because your bug report has
    > nothing todo with arrays not beeing escaped at all)

    With current PHP, his URL happens to trigger the array escape bug,
    though. Matthew's criticims of PHP's development practices is not
    completely unfounded, I'm afraid.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: James Eaton-Lee: "RE: [Full-disclosure] Security, Hacking & Social Engineering Presentation."