oss-sec mailing list archives
Re: CVE id request: php-xajax
From: Nico Golde <oss-security+ml () ngolde de>
Date: Wed, 17 Dec 2008 19:30:10 +0100
Hi, * Steven M. Christey <coley () linus mitre org> [2008-12-17 19:28]:
On Wed, 17 Dec 2008, Nico Golde wrote:Afaik you can use & to specify values like ../foo.php&value=bar Thus the patch looked incomplete to me and should be extended to escape & as well.I see no problem with specifying GET variables here unless this is some kind of CSRF which I don't see in this case.If there's CSRF then that would be a separate issue. If ";" is also allowed then there might be some possibilities for odd entity encodings, but I don't know if that would translate directly into XSS. A simple, likely-incorrect example might be "<" which would decode into "<" but the browser would treat it as a literal "<" instead of the start of a tag.
Yes but this would be a bug, no security issue by itself. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)