Re: PHP fopen() CRLF Injection

From: Stefan Esser (sesserat_private)
Date: Thu Sep 12 2002 - 10:55:25 PDT

Next message: Marco van Berkum: "Re: xbreaky symlink vulnerability"

Previous message: secureat_private: "[CLA-2002:523] Conectiva Linux Security Announcement - util-linux"
Maybe in reply to: Ulf Harnhammar: "PHP fopen() CRLF Injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

> This issue has now been fixed in their CVS repository. This is the
> patch that they used:

I dislike calling my patch a fix. The problem you describe is not a
bug within PHP. One could call it an undocumented feature, that is
now gone with my patch. You cannot blame a programmer's error on the
language itself. Your fopen() thing does only occur if the programmer
does TWO stupid things: A) pass user input directly to a function
without proper validation, B) pass an url to a function that is not
an url. Any string that contains control chars cannot be a valid url.
Before you pass a string that should be an url to any function you
MUST urlencode() it. No need for your reg expression at all.
Following your idea I could blame the libc authors for implementing
strcpy() because misused it leads to bufferoverflows.

Just because PHP is easy (to learn) you cannot leave your
brain at home when programming for your company. 

Stefan Esser

application/pgp-signature attachment: stored

Next message: Marco van Berkum: "Re: xbreaky symlink vulnerability"
Previous message: secureat_private: "[CLA-2002:523] Conectiva Linux Security Announcement - util-linux"
Maybe in reply to: Ulf Harnhammar: "PHP fopen() CRLF Injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 12:07:31 PDT