Full Disclosure mailing list archives
Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 31 Oct 2005 21:04:27 +0100
* Stefan Esser:
http://viewcvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c.diff?r1=1.245.2.2&r2=1.245.2.3 I hope this is enough to convince you... (because your bug report has nothing todo with arrays not beeing escaped at all)
With current PHP, his URL happens to trigger the array escape bug, though. Matthew's criticims of PHP's development practices is not completely unfounded, I'm afraid. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Stefan Esser (Oct 31)
- Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Matthew Murphy (Oct 31)
- Message not available
- Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Matthew Murphy (Oct 31)
- Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Stefan Esser (Oct 31)
- Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Florian Weimer (Oct 31)
- Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Matthew Murphy (Oct 31)
- Message not available
- Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Matthew Murphy (Oct 31)
- Re: Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo() Florian Weimer (Oct 31)