Hello Matthew,
> That's a hell of a turnaround for you, Esser. It's the first security
> bug I've reported in your software that's actually been fixed. And it
> only took you *THREE YEARS*. We're finally making some progress here.
Mr. Murphy, I don't know what your problem is, but the bug you
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Stefan Esser wrote:
> Unfortunately for you, the CVS commit you quote has nothing todo with
> the XSS vulnerability in my advisory.
> My advisory covers "Input Validation Part 1" which you can read here
>
> http://viewcvs.php.net/viewcvs.cgi/php-
* Stefan Esser:
> http://viewcvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c.diff?r1=1.245.2.2&r2=1.245.2.3
>
> I hope this is enough to convince you... (because your bug report has
> nothing todo with arrays not beeing escaped at all)
With current PHP, his URL happens to trigger the array es
Hello Matthew,
> http://cvs.php.net/diff.php/php-src/ext/standard/info.c?r1=1.252&r2=1.253&ty=u
>
> For the change marked "Input Validation Part 2". It uses ENT_QUOTES
> escaping as opposed to ENT_NOQUOTES escaping. The lack of escaping on
> quotes in entity attributes is the *EXACT* issue my bu
* Matthew Murphy:
> Nice try, Stefan.
>
> I reported this vulnerability more than three years ago (against 4.2.x)
> on October 12, 2002 via the PHP bug database. I was told to implement
> an .ini setting and the bug was marked "Bogus".
>
> For information, please see PHP Bug #19881:
> http://bugs
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Stefan Esser wrote:
> Mr. Murphy, I don't know what your problem is, but the bug you refer to
> and that is described in the bug tracker post is not the bug the
> advisory contains. Just because you reported some XSS vulnerability in
> phpinfo() d
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Nice try, Stefan.
I reported this vulnerability more than three years ago (against 4.2.x)
on October 12, 2002 via the PHP bug database. I was told to implement
an .ini setting and the bug was marked "Bogus".
For information, please see PHP Bug