oss-sec mailing list archives

Re: CVE id request: php-xajax

From: Steffen Joeris <steffen.joeris () skolelinux de>
Date: Wed, 17 Dec 2008 18:57:27 +0100

On Wed, 17 Dec 2008 06:19:20 pm Nico Golde wrote:

Hi,

* Steven M. Christey <coley () linus mitre org> [2008-12-17 17:53]:

On Wed, 17 Dec 2008, Steffen Joeris wrote:

The patch for CVE-2007-2739 seems incomplete as it doesn't escape "&".
I recommend removing the replace call and using htmlspecialchars()
instead.


This counts for a new CVE, so use CVE-2008-5623

Will there be more details available, or should I just write the
description up based on the oss-security post?  Which versions are
affected?


Please enlighten me why it is incomplete. As far as I know
you can't perform an XSS with & only (I'm not a webappsec
expert though). But the reason it behaves different from
htmlspecialchars should not make this patch incomplete.

Afaik you can use & to specify values like ../foo.php&value=bar
Thus the patch looked incomplete to me and should be extended to escape & as 
well.

Cheers
Steffen

Attachment: signature.asc
Description: This is a digitally signed message part.

Current thread:

CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
  - Re: CVE id request: php-xajax Nico Golde (Dec 17)
    - Re: CVE id request: php-xajax Steffen Joeris (Dec 17)
    - Re: CVE id request: php-xajax Nico Golde (Dec 17)
    - Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
    - Re: CVE id request: php-xajax Nico Golde (Dec 17)
    - Re: CVE id request: php-xajax Steven M. Christey (Dec 17)