Re: Critical PHP bug - act ASAP if you are running web with sensitive data

[Tõnu Samuel <tonu () jes ee>]

Jasper Bryant-Greene wrote:

> My point is, can you think of a logical reason why html_entity_decode 
> would be run on user input? I'm sure some idiot is doing it (and 
> therefore this is a security issue, though not exactly critical), but 
> I don't think I can think of a reason why it would be done.
>
> Why would you want to decode HTML entities given by a user? The 
> opposite (encode their input into HTML entities) is the usual approach...

Ok, this "critical" is my fault. Seeing memory dump of other user data 
seems serious enough to me and I suspected it might affect different 
functions despite this one. Now when we know more, I agree that it is 
less critical than suspected by me. Still it is a problem and as subject 
told: "if you are running web with sensitive data". Malicious user can 
upload new script and see what others are doing. In most cases not so 
critical as I assumed but still bad enough and I really expect to see 
announcements for such problems faster and patches to come out (I mean 
RPM-s this time). Right now my systems are unprotected till I start to 
make packages myself or Novell is going to make one. Three weeks is too 
much. And what about PHP 4.x and 5.0 users?

   Tõnu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/