Re: Resolution for ver_export()/addslashes() encoding based script execution attack?

From: Date: Thu, 27 Feb 2014 22:22:47 +0000
Subject: Re: Resolution for ver_export()/addslashes() encoding based script execution attack?
References: 1 2 3 4 5 6 7 8 9 10 11 12  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hi,

On 26 February 2014 22:28, Yasuo Ohgaki <[email protected]> wrote:
>> I don't see how the RFC addressed the problem anyway.
>
> Please research how databases were fixed this issue many years ago. I don't
> remember well, but I guess it was around 2005.

I have a vague recollection of issues, but since there's little
specific detail on this (as it pertains to PHP) publicly it's
impossible for most of us to assess what the problem may be. It's even
stranger to see a secret security report being RFC'd publicly, with
the attendant discussions on list, which appears to go against
responsible disclosure if one can put two and two together in a Eureka
moment. It just spreads a lot of doubt and confusion to no end.

Paddy

--
Pádraic Brady

http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative

Thread (20 messages)

« previous php.internals (#72847) next »