Jasper Bryant-Greene wrote:
My point is, can you think of a logical reason why html_entity_decode
would be run on user input? I'm sure some idiot is doing it (and
therefore this is a security issue, though not exactly critical), but
I don't think I can think of a reason why it would be done.
Why would you want to decode HTML entities given by a user? The
opposite (encode their input into HTML entities) is the usual approach...
Ok, this "critical" is my fault. Seeing memory dump of other user data
seems serious enough to me and I suspected it might affect different
functions despite this one. Now when we know more, I agree that it is
less critical than suspected by me. Still it is a problem and as subject
told: "if you are running web with sensitive data". Malicious user can
upload new script and see what others are doing. In most cases not so
critical as I assumed but still bad enough and I really expect to see
announcements for such problems faster and patches to come out (I mean
RPM-s this time). Right now my systems are unprotected till I start to
make packages myself or Novell is going to make one. Three weeks is too
much. And what about PHP 4.x and 5.0 users?
Tõnu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
