Full Disclosure mailing list archives
Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
From: Stefan Esser <sesser () hardened-php net>
Date: Mon, 31 Oct 2005 20:47:01 +0100
Hello Matthew,
http://cvs.php.net/diff.php/php-src/ext/standard/info.c?r1=1.252&r2=1.253&ty=u For the change marked "Input Validation Part 2". It uses ENT_QUOTES escaping as opposed to ENT_NOQUOTES escaping. The lack of escaping on quotes in entity attributes is the *EXACT* issue my bug report illustrates.
Unfortunately for you, the CVS commit you quote has nothing todo with the XSS vulnerability in my advisory. My advisory covers "Input Validation Part 1" which you can read here http://viewcvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c.diff?r1=1.245.2.2&r2=1.245.2.3 I hope this is enough to convince you... (because your bug report has nothing todo with arrays not beeing escaped at all) Yours, Stefan Esser ps: And you do not need to convince me, that you should have credits for that other bug. And it is a pity that it needed such a long time to fix it. In the end it is just an XSS in a debugging feature and therefore it was not taken so serious. You should be happy, that we have started to even fix vulnerabilities in debugging tools. -- -------------------------------------------------------------------------- Stefan Esser sesser () php net Hardened-PHP Project http://www.hardened-php.net/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78 Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 -------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Stefan Esser (Oct 31)
- Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Matthew Murphy (Oct 31)
- Message not available
- Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Matthew Murphy (Oct 31)
- Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Stefan Esser (Oct 31)
- Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Florian Weimer (Oct 31)
- Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Matthew Murphy (Oct 31)
- Message not available
- Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Matthew Murphy (Oct 31)
- Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Florian Weimer (Oct 31)