Taras, Jose, On Sun, Nov 23, 2008 at 7:31 PM, Taras P. Ivashchenko <[EMAIL PROTECTED]> wrote: > Andres, >> But this isn't a buffer overflow, a format string, or something like >> that, the only thing that I have to add is a 0xc0 char in front of >> every character that would be normally escaped ( ; | & and some others >> ). And by "exploiting" this vulnerability, w3af would be bypassing a >> filter, like the ones that w3af bypasses when "fighting back" >> gpc_magic_quotes in SQL injection exploitation. > > Yes, but gpc_magic_quotes is PHP specific option (for all versions > before 6). > And bypassing is specific security issue in PHP of specific versions on > specific platforms (locales). > > I agree with José, that w3af isn't an vulnerability explotation > framework so it may be out of the scope of the project.
Ok, I'm going to follow your advice and I won't add this feature to the framework. Thanks for your comments and help! Cheers, > -- > Тарас Иващенко (Taras Ivashchenko), OSCP > www.securityaudit.ru > ---- > "Software is like sex: it's better when it's free." - Linus Torvalds > -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
