Re: PHP Net Toolpack: input validation error

From: Jon Ribbens (jon+bugtraqat_private)
Date: Tue Mar 19 2002 - 08:37:45 PST

Next message: Arian J. Evans: "RE: Citrix vulnerability disclosure/bug reports contact"

Previous message: Jedi/Sector One: "Re: move_uploaded_file breaks safe_mode restrictions in PHP"
In reply to: ppp-design: "PHP Net Toolpack: input validation error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ppp-design <security@ppp-design.de> wrote:
> You can use escapeshellcmd() to check the input for unwanted characters.
> So you can replace the bad line in the traceroute function with the
> following two lines:
> 
> $sec_input=escapeshellcmd($a_query);
> exec("/sbin/traceroute $sec_input",$ret_strs);

Note that this does not do what you think it does. escapeshellcmd is
not the right function to use - at the very least, people can still
pass more than one parameter to traceroute when you only want them to
be able to pass one. The correct function to use is escapeshellarg.

Next message: Arian J. Evans: "RE: Citrix vulnerability disclosure/bug reports contact"
Previous message: Jedi/Sector One: "Re: move_uploaded_file breaks safe_mode restrictions in PHP"
In reply to: ppp-design: "PHP Net Toolpack: input validation error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 23:41:46 PST