Help - Search - Members - Calendar
Full Version: PHPInfo Large Input Cross-Site Scripting Vulnerability
The Planet Forums > Security > General Security
DomineauX
Apr 11 2006, 04:39 PM
phpinfo function XSS eploit:
http://www.securityfocus.com/bid/17362/info

Anyone want to make a mod_security rule for this?
Other solutions would be good to hear as well.
unSpawn
Apr 12 2006, 06:08 AM
Better: a fix is available in CVS. If you have compelling reasons not to use it I'd say the risk is yours because the solution is already provided.

QUOTE (bid/17362/discuss)
This issue is due to a failure in the application to properly sanitize user-supplied input.

This has been a problem with PHP and apps for ages now and it keeps reappearing. IMHO what it means in essence is that those of you who use that stuff should start and keep urging developers and maintainers to follow safe coding rules that have existed for ages now. If, by the quality of their work, they indicate they are the type of developer that favours tinkering with adding new features over auditing and fixing problems in their existing code you know what you should do if you can't live with that.
DomineauX
Apr 12 2006, 08:08 AM
Agreed, but would be nice if all the open source programs that customers like such as forums would all use good sanitized code.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.