oss-sec mailing list archives
Re: CVE id request: php-xajax
From: Nico Golde <oss-security+ml () ngolde de>
Date: Wed, 17 Dec 2008 19:02:21 +0100
Hi, * Steffen Joeris <steffen.joeris () skolelinux de> [2008-12-17 18:59]:
On Wed, 17 Dec 2008 06:19:20 pm Nico Golde wrote:* Steven M. Christey <coley () linus mitre org> [2008-12-17 17:53]:On Wed, 17 Dec 2008, Steffen Joeris wrote:The patch for CVE-2007-2739 seems incomplete as it doesn't escape "&". I recommend removing the replace call and using htmlspecialchars() instead.This counts for a new CVE, so use CVE-2008-5623 Will there be more details available, or should I just write the description up based on the oss-security post? Which versions are affected?Please enlighten me why it is incomplete. As far as I know you can't perform an XSS with & only (I'm not a webappsec expert though). But the reason it behaves different from htmlspecialchars should not make this patch incomplete.Afaik you can use & to specify values like ../foo.php&value=bar Thus the patch looked incomplete to me and should be extended to escape & as well.
I see no problem with specifying GET variables here unless this is some kind of CSRF which I don't see in this case. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)