[imp] BUG: php 5 suhosin triggers MBOX_PREFIX separator
Rick Romero
rick at havokmon.com
Mon May 23 17:49:37 UTC 2011
Quoting Michael M Slusarz <slusarz at horde.org>:
> Quoting Olivier <olivier at ablinux.com>:
>
>>> suhosin[2446]: ALERT - ASCII-NUL chars not allowed within request
>>> variables - dropped variable 'view' (attacker 'XXX.XXX.XXX.XXX',
>>> file '.../services/ajax.php')
>
> Still waiting for someone to tell me how a NULL character, by
> itself, is a security threat.
What if the variable is expected to be numeric and you start doing math on it?
Isn't the purpose of suhosin to try and catch the stuff developers
didn't catch?
Rick
More information about the imp
mailing list