oss-sec mailing list archives
Re: CVE id request: php-xajax
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 17 Dec 2008 13:11:00 -0500 (EST)
On Wed, 17 Dec 2008, Nico Golde wrote:
Afaik you can use & to specify values like ../foo.php&value=bar Thus the patch looked incomplete to me and should be extended to escape & as well.I see no problem with specifying GET variables here unless this is some kind of CSRF which I don't see in this case.
If there's CSRF then that would be a separate issue. If ";" is also allowed then there might be some possibilities for odd entity encodings, but I don't know if that would translate directly into XSS. A simple, likely-incorrect example might be "<" which would decode into "<" but the browser would treat it as a literal "<" instead of the start of a tag. - Steve
Current thread:
- CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steffen Joeris (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)
- Re: CVE id request: php-xajax Nico Golde (Dec 17)
- Re: CVE id request: php-xajax Steven M. Christey (Dec 17)