Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

[Stefan Esser <sesser () hardened-php net>]

Hello Matthew,

> http://cvs.php.net/diff.php/php-src/ext/standard/info.c?r1=1.252&r2=1.253&ty=u
>
> For the change marked "Input Validation Part 2".  It uses ENT_QUOTES
> escaping as opposed to ENT_NOQUOTES escaping.  The lack of escaping on
> quotes in entity attributes is the *EXACT* issue my bug report
> illustrates.
Unfortunately for you, the CVS commit you quote has nothing todo with
the XSS vulnerability in my advisory.
My advisory covers "Input Validation Part 1" which you can read here

http://viewcvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c.diff?r1=1.245.2.2&r2=1.245.2.3

I hope this is enough to convince you... (because your bug report has
nothing todo with arrays not beeing escaped at all)

Yours,
Stefan Esser

ps: And you do not need to convince me, that you should have credits for
that other bug. And it is a pity that it needed such a long time to fix
it. In the end it is just an XSS in a debugging feature and therefore it
was not taken so serious. You should be happy, that we have started to
even fix vulnerabilities in debugging tools.

-- 
--------------------------------------------------------------------------
 Stefan Esser                                               sesser () php net
 Hardened-PHP Project                         http://www.hardened-php.net/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
 Key fingerprint       7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78
--------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/