On Sun, 8 Sep 2002, Stefan Esser wrote:
> PS: Is php-dev censored? Or why disappeared my mail about MD5/GPG signs of
> PHP 4.2.3... Is there some autofilter on "group says everytime: we do it the
> next time?"
Naw I saw it and you bug report on it.
>-
Morning,
I wonder when we will see: PHP include() PHP Code Injection
on Bugtraq ;)
[X] Injecting HTTP headers is indeed possible with his technique.
[X] -> You can inject Cookies...
[X] Injecting Part of the Body is possible, too.
[X] Browsers ignore anything in the Body when "Location" is use
On Sun, 08 Sep 2002 10:58:24 +0900
Yasuo Ohgaki <[EMAIL PROTECTED]> wrote:
> This obvious security risk is mentioned in bugtraq today.
>
> IMHO, this is users' fault. They must check values before
> using it. In this specfic case, user should use simple regex
> before feeding str to header().
>
> Yasuo Ohgaki wrote:
> > This obvious security risk is mentioned in bugtraq today.
> >
> > IMHO, this is users' fault. They must check values before
> > using it. In this specfic case, user should use simple regex
> > before feeding str to header().
> >
> > Any opinion to meke this to "won't fix
I'll make it "won't fix".
--
Yasuo Ohgaki
Melvyn Sopacua wrote:
> On Sun, 8 Sep 2002, Yasuo Ohgaki wrote:
>
> YO>>> Date: Sun, 08 Sep 2002 11:01:44 +0900
> YO>>> From: Yasuo Ohgaki <[EMAIL PROTECTED]>
> YO>>> To: [EMAIL PROTECTED]
> YO>>> Subject: [PHP-DEV] Re: #19286 [NEW]: header() Control Ch
On September 7, 2002 09:58 pm, Yasuo Ohgaki wrote:
> This obvious security risk is mentioned in bugtraq today.
>
> IMHO, this is users' fault. They must check values before
> using it. In this specfic case, user should use simple regex
> before feeding str to header().
>
> Any opinion to meke this
On Sun, 8 Sep 2002, Yasuo Ohgaki wrote:
YO>>> Date: Sun, 08 Sep 2002 11:01:44 +0900
YO>>> From: Yasuo Ohgaki <[EMAIL PROTECTED]>
YO>>> To: [EMAIL PROTECTED]
YO>>> Subject: [PHP-DEV] Re: #19286 [NEW]: header() Control Char Injection
YO>>>
YO>>> Yasuo Ohgaki wrote:
YO>>> > This obvious security ri