[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

To: Stefan Esser <sesser@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Date: Mon, 31 Oct 2005 21:04:27 +0100

* Stefan Esser:

> http://viewcvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c.diff?r1=1.245.2.2&r2=1.245.2.3
>
> I hope this is enough to convince you... (because your bug report has
> nothing todo with arrays not beeing escaped at all)

With current PHP, his URL happens to trigger the array escape bug,
though.  Matthew's criticims of PHP's development practices is not
completely unfounded, I'm afraid.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
  - From: Matthew Murphy
- [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
  - From: Stefan Esser
- [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
  - From: Matthew Murphy
- Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
  - From: Stefan Esser

Prev by Date: Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
Next by Date: RE: [Full-disclosure] Security, Hacking & Social Engineering Presentation.
Previous by thread: Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
Next by thread: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
Index(es):
- Date
- Thread