oss-sec mailing list archives
Re: php mb_ereg_replace()
From: Oden Eriksson <oeriksson () mandriva com>
Date: Wed, 13 May 2009 11:51:44 +0200
onsdag 13 maj 2009 09:40:20 skrev Sebastian Krahmer:
Hi, anyone aware of Bugtraq ID 34873 (http://www.securityfocus.com/bid/34873)? Seems there is no CVE or anything else (not even a patch). Sebastian
Got this reply from Derick Rethans asking on security () php net:
It was brought to my attention there is a new security issue in php as shown here: http://www.securityfocus.com/bid/34873 Could you please advice?
How is this a bug, the documentation for mb_ereg_replace writes: "If e is specified, replacement string will be evaluated as PHP expression. " In the example "e" is specified, so of course it will execute the code. regards, Derick -- Regards // Oden Eriksson
Current thread:
- php mb_ereg_replace() Sebastian Krahmer (May 13)
- Re: php mb_ereg_replace() Christian Hoffmann (May 13)
- Re: php mb_ereg_replace() Steven M. Christey (May 13)
- Re: php mb_ereg_replace() Christian Hoffmann (May 13)
- Re: php mb_ereg_replace() Steven M. Christey (May 13)
- Re: php mb_ereg_replace() Oden Eriksson (May 13)
- Re: php mb_ereg_replace() Christian Hoffmann (May 13)