[imp] BUG: php 5 suhosin triggers MBOX_PREFIX separator
Michael M Slusarz
slusarz at horde.org
Mon May 23 17:23:48 UTC 2011
Quoting Olivier <olivier at ablinux.com>:
>> suhosin[2446]: ALERT - ASCII-NUL chars not allowed within request
>> variables - dropped variable 'view' (attacker 'XXX.XXX.XXX.XXX',
>> file '.../services/ajax.php')
Still waiting for someone to tell me how a NULL character, by itself,
is a security threat.
Maybe suhosin should also filter out j, a, v, s, c, r, i, p, and t
characters because they can be used to create XSS attacks.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the imp
mailing list