Re: CVE id request: php-xajax

[Nico Golde <oss-security+ml () ngolde de>]

Hi,
* Steffen Joeris <steffen.joeris () skolelinux de> [2008-12-17 18:59]:
> On Wed, 17 Dec 2008 06:19:20 pm Nico Golde wrote:
> > * Steven M. Christey <coley () linus mitre org> [2008-12-17 17:53]:
> > > On Wed, 17 Dec 2008, Steffen Joeris wrote:
> > > > The patch for CVE-2007-2739 seems incomplete as it doesn't escape "&".
> > > > I recommend removing the replace call and using htmlspecialchars()
> > > > instead.
> > >
> > > This counts for a new CVE, so use CVE-2008-5623
> > >
> > > Will there be more details available, or should I just write the
> > > description up based on the oss-security post?  Which versions are
> > > affected?
> >
> > Please enlighten me why it is incomplete. As far as I know
> > you can't perform an XSS with & only (I'm not a webappsec
> > expert though). But the reason it behaves different from
> > htmlspecialchars should not make this patch incomplete.
> Afaik you can use & to specify values like ../foo.php&value=bar
> Thus the patch looked incomplete to me and should be extended to escape & as 
> well.

I see no problem with specifying GET variables here unless 
this is some kind of CSRF which I don't see in this case.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: