Bugtraq mailing list archives
Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data
From: Jasper Bryant-Greene <jasper () album co nz>
Date: Wed, 29 Mar 2006 15:22:14 +1200
Tõnu Samuel wrote:
Nice! I was really nervous already as I got bombed with e-mails and I really did not knew much more than was discovered. Meanwhile I am bit disappointed that we had nearly month such a bug in wild and software distributors like SuSE in my case did not published patches. I think as long enough time passed and I hope distributors maybe need to see it - I publish exploit. Sorry, this was discovered independently and for me it looks like very serious problem.Script is: <?php $foobar=html_entity_decode($_GET['foo']); echo $foobar; ?>
I very much doubt there are many applications at all containing code like this. It is illogical to be decoding html entities from user input. Therefore I would not call this a "very serious problem" and certainly not a critical bug.
Jasper
Current thread:
- Critical PHP bug - act ASAP if you are running web with sensitive data Tõnu Samuel (Mar 28)
- Message not available
- Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data Stefan Esser (Mar 28)
- Re: [Full-disclosure] Critical PHP bug - act ASAP if you are runningweb with sensitive data Tõnu Samuel (Mar 29)
- Message not available
- Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data Jasper Bryant-Greene (Mar 29)
- Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data Tõnu Samuel (Mar 29)
- Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data Jeff Rosowski (Mar 31)
- Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data Stefan Esser (Mar 28)
- Message not available