oss-sec mailing list archives
Re: CVE id request: php5
From: Raphael Geissert <atomo64+debian () gmail com>
Date: Wed, 28 Jan 2009 14:00:42 -0600
Josh Bressers wrote: [...]
I may be missing something here, but this looks like an issue where a bad script really needs to cause this. Wouldn't it be just as easy to for the script author to delete the file in question via a PHP script?
No, please read carefully. If you have a script that doesn't do good input sanitation but takes a variable from the user's input and uses it as a key it will end up nuking the .ini file. Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
Current thread:
- CVE id request: php5 Steffen Joeris (Jan 28)
- Re: CVE id request: php5 Josh Bressers (Jan 28)
- Re: CVE id request: php5 Raphael Geissert (Jan 28)
- Re: Re: CVE id request: php5 Joe Orton (Jan 29)
- Re: Re: CVE id request: php5 Steven M. Christey (Jan 29)
- Re: CVE id request: php5 Raphael Geissert (Jan 28)
- Re: CVE id request: php5 Josh Bressers (Jan 28)