Re: Resolution for ver_export()/addslashes() encoding based script execution attack?

From: Date: Thu, 27 Feb 2014 23:08:19 +0000
Subject: Re: Resolution for ver_export()/addslashes() encoding based script execution attack?
References: 1 2 3 4 5 6 7 8 9 10 11 12 13  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Hi Padraic,

On Fri, Feb 28, 2014 at 7:22 AM, Pádraic Brady <[email protected]>wrote:

> On 26 February 2014 22:28, Yasuo Ohgaki <[email protected]> wrote:
> >> I don't see how the RFC addressed the problem anyway.
> >
> > Please research how databases were fixed this issue many years ago. I
> don't
> > remember well, but I guess it was around 2005.
>
> I have a vague recollection of issues, but since there's little
> specific detail on this (as it pertains to PHP) publicly it's
> impossible for most of us to assess what the problem may be. It's even
> stranger to see a secret security report being RFC'd publicly, with
>

Right. This kind of discussion should be done in closed list.


> the attendant discussions on list, which appears to go against
> responsible disclosure if one can put two and two together in a Eureka
> moment. It just spreads a lot of doubt and confusion to no end.


For the time being, I suggest look for the details of char encoding based
SQL/JavaScript injections. The basic is the same.

Regards,

P.S. Are we really going to discuss this kind of discussion in public?
Can't we just discuss implementation?

--
Yasuo Ohgaki
[email protected]

Thread (20 messages)

« previous php.internals (#72851) next »