[Secure-testing-team] Re: Bug#342943: only kronolith2 fixed

Florian Weimer fw at deneb.enyo.de
Sun Jan 22 18:37:00 UTC 2006


* Martin Schulze:

> I've taken a look at the patch, and several lines contain changes not
> suitable for a security update, i.e. fix different potential bugs or
> change the code.  I'm attaching the patch.  More eyes checking would
> be appreciated.

This one seems only safe when magic_quotes_gpc is enabled:

-  <input type="submit" [...] onclick="self.location = '<?php echo $url; ?>'; return false;" />
+  <input type="submit" [...] onclick="self.location = '<?php echo htmlspecialchars($url); ?>'; return false;" />

(htmlspecialchars does not quote single quotes, and even if it did, it
would not really help because the HTML should be reversed before the
JavaScript parser runs.)

It's probably not a real problem because everybody runs with
magic_quotes_gpc enabled, though.

Apart from the issues in your diff, there seem to be others.  Is
anybody familiar with the HORDE framework (at that version) and can
explain how variables are handled internal?  There seems to be some
kind of register_globals reimplementation.




More information about the Secure-testing-team mailing list