Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 May 2009 11:51:44 +0200
From: Oden Eriksson <>
Subject: Re: php mb_ereg_replace()

onsdag 13 maj 2009 09:40:20 skrev  Sebastian Krahmer:
> Hi,
> anyone aware of Bugtraq ID 34873 (
> Seems there is no CVE or anything else (not even a patch).
> Sebastian

Got this reply from Derick Rethans asking on

> It was brought to my attention there is a new security issue in php as shown 
> here:
> Could you please advice?

How is this a bug, the documentation for mb_ereg_replace writes:

"If e  is specified, replacement  string will be evaluated as PHP 
expression. "

In the example "e" is specified, so of course it will execute the code. 


Regards // Oden Eriksson

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ