[imp] BUG: php 5 suhosin triggers MBOX_PREFIX separator
Michael M Slusarz
slusarz at horde.org
Mon May 23 18:06:42 UTC 2011
Quoting Rick Romero <rick at havokmon.com>:
> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting Olivier <olivier at ablinux.com>:
>>
>>>> suhosin[2446]: ALERT - ASCII-NUL chars not allowed within request
>>>> variables - dropped variable 'view' (attacker 'XXX.XXX.XXX.XXX',
>>>> file '.../services/ajax.php')
>>
>> Still waiting for someone to tell me how a NULL character, by
>> itself, is a security threat.
>
> What if the variable is expected to be numeric and you start doing
> math on it?
But what if the variable ends up being 0. That's a perfectly valid
integer, but could cause problems if the application uses it as a
divisor.
> Isn't the purpose of suhosin to try and catch the stuff developers
> didn't catch?
But you can't break things that are supposed to work otherwise. NULL
is a perfectly acceptable input in URL parameters.
And, e.g. with the 0 value above, the interpreter CAN'T possibly
catch/process all valid inputs. That is the duty of the application
author.
michael
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the imp
mailing list