oss-sec mailing list archives
Re: php mb_ereg_replace()
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 13 May 2009 10:47:01 -0400 (EDT)
On Wed, 13 May 2009, Christian Hoffmann wrote:
Regarding CVE... I'm not sure. It is not a vulnerability in PHP. It's a missing functionality which very very easily leads to severe security problems in apps which make use of the affected functions. And, this missing functionality is usually expected to be there, as preg_replace works like that. So.. tough case, imo.
We don't have a CVE for the fact that strcpy() exists - it can be used safely even though it's dangerous. My interpretation of this issue was the same, so no CVE is needed. Any PHP application that misuses mb_ereg_replace(), however, is fair game. (We already have a handful of CVEs for executable regexp's in PHP apps) - Steve
Current thread:
- php mb_ereg_replace() Sebastian Krahmer (May 13)
- Re: php mb_ereg_replace() Christian Hoffmann (May 13)
- Re: php mb_ereg_replace() Steven M. Christey (May 13)
- Re: php mb_ereg_replace() Christian Hoffmann (May 13)
- Re: php mb_ereg_replace() Steven M. Christey (May 13)
- Re: php mb_ereg_replace() Oden Eriksson (May 13)
- Re: php mb_ereg_replace() Christian Hoffmann (May 13)