[imp] BUG: php 5 suhosin triggers MBOX_PREFIX separator

Rick Romero rick at havokmon.com
Mon May 23 17:49:37 UTC 2011


Quoting Michael M Slusarz <slusarz at horde.org>:

> Quoting Olivier <olivier at ablinux.com>:
>
>>> suhosin[2446]: ALERT - ASCII-NUL chars not allowed within request  
>>> variables - dropped variable 'view' (attacker 'XXX.XXX.XXX.XXX',  
>>> file '.../services/ajax.php')
>
> Still waiting for someone to tell me how a NULL character, by  
> itself, is a security threat.

What if the variable is expected to be numeric and you start doing math on it?

Isn't the purpose of suhosin to try and catch the stuff developers  
didn't catch?

Rick



More information about the imp mailing list