Tõnu Samuel wrote:
Jasper Bryant-Greene wrote:
My point is, can you think of a logical reason why html_entity_decode
would be run on user input? I'm sure some idiot is doing it (and
therefore this is a security issue, though not exactly critical), but
I don't think I can think of a reason why it would be done.
Why would you want to decode HTML entities given by a user? The
opposite (encode their input into HTML entities) is the usual approach...
Ok, this "critical" is my fault. Seeing memory dump of other user data
seems serious enough to me and I suspected it might affect different
functions despite this one. Now when we know more, I agree that it is
less critical than suspected by me. Still it is a problem and as subject
told: "if you are running web with sensitive data". Malicious user can
upload new script and see what others are doing. In most cases not so
critical as I assumed but still bad enough and I really expect to see
announcements for such problems faster and patches to come out (I mean
RPM-s this time). Right now my systems are unprotected till I start to
make packages myself or Novell is going to make one. Three weeks is too
much. And what about PHP 4.x and 5.0 users?
Sure, this is still a fairly serious bug. (As an aside, if you have
sensitive data, you really shouldn't allow users to upload new scripts,
or be running in a shared hosting env.)
I can't speak for other distros, but there's a bug in Gentoo Bugzilla
for this: http://bugs.gentoo.org/127939
Jasper
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
