subject:"\[Full\-disclosure\] Re\: Advisory 18\/2005\: PHP Cross Site Scripting \(XSS\) Vulnerability in phpinfo\(\)"

[Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

2005-11-01 Thread Stefan Esser

Hello Matthew, > That's a hell of a turnaround for you, Esser. It's the first security > bug I've reported in your software that's actually been fixed. And it > only took you *THREE YEARS*. We're finally making some progress here. Mr. Murphy, I don't know what your problem is, but the bug you

[Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

2005-10-31 Thread Matthew Murphy

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Stefan Esser wrote: > Unfortunately for you, the CVS commit you quote has nothing todo with > the XSS vulnerability in my advisory. > My advisory covers "Input Validation Part 1" which you can read here > > http://viewcvs.php.net/viewcvs.cgi/php-

Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

2005-10-31 Thread Florian Weimer

* Stefan Esser: > http://viewcvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c.diff?r1=1.245.2.2&r2=1.245.2.3 > > I hope this is enough to convince you... (because your bug report has > nothing todo with arrays not beeing escaped at all) With current PHP, his URL happens to trigger the array es

Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

2005-10-31 Thread Stefan Esser

Hello Matthew, > http://cvs.php.net/diff.php/php-src/ext/standard/info.c?r1=1.252&r2=1.253&ty=u > > For the change marked "Input Validation Part 2". It uses ENT_QUOTES > escaping as opposed to ENT_NOQUOTES escaping. The lack of escaping on > quotes in entity attributes is the *EXACT* issue my bu

Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

2005-10-31 Thread Florian Weimer

* Matthew Murphy: > Nice try, Stefan. > > I reported this vulnerability more than three years ago (against 4.2.x) > on October 12, 2002 via the PHP bug database. I was told to implement > an .ini setting and the bug was marked "Bogus". > > For information, please see PHP Bug #19881: > http://bugs

[Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

2005-10-31 Thread Matthew Murphy

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Stefan Esser wrote: > Mr. Murphy, I don't know what your problem is, but the bug you refer to > and that is described in the bug tracker post is not the bug the > advisory contains. Just because you reported some XSS vulnerability in > phpinfo() d

[Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

2005-10-31 Thread Matthew Murphy

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Nice try, Stefan. I reported this vulnerability more than three years ago (against 4.2.x) on October 12, 2002 via the PHP bug database. I was told to implement an .ini setting and the bug was marked "Bogus". For information, please see PHP Bug

[Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

[Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

Re: [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

[Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

[Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()

7 matches

Site Navigation

Mail list logo

Footer information