Quoting Rick Romero <[email protected]>:
Quoting Michael M Slusarz <[email protected]>:
Quoting Olivier <[email protected]>:
suhosin[2446]: ALERT - ASCII-NUL chars not allowed within request
variables - dropped variable 'view' (attacker 'XXX.XXX.XXX.XXX',
file '.../services/ajax.php')
Still waiting for someone to tell me how a NULL character, by
itself, is a security threat.
What if the variable is expected to be numeric and you start doing
math on it?
But what if the variable ends up being 0. That's a perfectly valid
integer, but could cause problems if the application uses it as a
divisor.
Isn't the purpose of suhosin to try and catch the stuff developers
didn't catch?
But you can't break things that are supposed to work otherwise. NULL
is a perfectly acceptable input in URL parameters.
And, e.g. with the 0 value above, the interpreter CAN'T possibly
catch/process all valid inputs. That is the duty of the application
author.
michael
___________________________________
Michael Slusarz [[email protected]]
--
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: [email protected]
