Re: Critical PHP bug - act ASAP if you are running web with sensitive data

[Jasper Bryant-Greene <jasper () album co nz>]

Tõnu Samuel wrote:
> Jasper Bryant-Greene wrote:
>
> > My point is, can you think of a logical reason why html_entity_decode 
> > would be run on user input? I'm sure some idiot is doing it (and 
> > therefore this is a security issue, though not exactly critical), but 
> > I don't think I can think of a reason why it would be done.
> >
> > Why would you want to decode HTML entities given by a user? The 
> > opposite (encode their input into HTML entities) is the usual approach...
>
> Ok, this "critical" is my fault. Seeing memory dump of other user data 
> seems serious enough to me and I suspected it might affect different 
> functions despite this one. Now when we know more, I agree that it is 
> less critical than suspected by me. Still it is a problem and as subject 
> told: "if you are running web with sensitive data". Malicious user can 
> upload new script and see what others are doing. In most cases not so 
> critical as I assumed but still bad enough and I really expect to see 
> announcements for such problems faster and patches to come out (I mean 
> RPM-s this time). Right now my systems are unprotected till I start to 
> make packages myself or Novell is going to make one. Three weeks is too 
> much. And what about PHP 4.x and 5.0 users?

Sure, this is still a fairly serious bug. (As an aside, if you have 
sensitive data, you really shouldn't allow users to upload new scripts, 
or be running in a shared hosting env.)

I can't speak for other distros, but there's a bug in Gentoo Bugzilla 
for this: http://bugs.gentoo.org/127939

Jasper

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/