Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.

From: Paul Laudanski <zx () castlecops com>
Date: Sat, 29 Oct 2005 18:10:46 -0400 (EDT)
On Thu, 27 Oct 2005, Nicob wrote:


Le mardi 25 octobre 2005 à 17:02 -0400, Paul Laudanski a écrit :


Anyone have other ideas on this?  I've already implemented some code
to validate file input and its working.  But is this the right
approach?


I'm not sure to understand what you're talking about but if you're
trying to positively validate that file XYZ is an image and not a PHP
file, you're asking for trouble :

$> wget http://nicob.net/mirrors/blowjob.jpg


I'm not contesting your reply, I agree with it an mentioned it earlier.  
Remote validation is a problem.  So then validation should be done locally 
(attach the image locally).

-- 
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: