[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Dec 2008 19:30:10 +0100
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Cc: Nico Golde <oss-security+ml@...lde.de>,
Steffen Joeris <steffen.joeris@...lelinux.de>,
"Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE id request: php-xajax
Hi,
* Steven M. Christey <coley@...us.mitre.org> [2008-12-17 19:28]:
> On Wed, 17 Dec 2008, Nico Golde wrote:
>
> > > Afaik you can use & to specify values like ../foo.php&value=bar
> > > Thus the patch looked incomplete to me and should be extended to escape & as
> > > well.
> >
> > I see no problem with specifying GET variables here unless
> > this is some kind of CSRF which I don't see in this case.
>
> If there's CSRF then that would be a separate issue.
>
> If ";" is also allowed then there might be some possibilities for odd
> entity encodings, but I don't know if that would translate directly into
> XSS. A simple, likely-incorrect example might be "<" which would
> decode into "<" but the browser would treat it as a literal "<" instead of
> the start of a tag.
Yes but this would be a bug, no security issue by itself.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
