[imp] BUG: php 5 suhosin triggers MBOX_PREFIX separator

Rick Romero rick at havokmon.com
Mon May 23 18:15:43 UTC 2011


Quoting Michael M Slusarz <slusarz at horde.org>:

> Quoting Rick Romero <rick at havokmon.com>:
>
>> Quoting Michael M Slusarz <slusarz at horde.org>:
>>
>>> Quoting Olivier <olivier at ablinux.com>:
>>>
>>>>> suhosin[2446]: ALERT - ASCII-NUL chars not allowed within  
>>>>> request variables - dropped variable 'view' (attacker  
>>>>> 'XXX.XXX.XXX.XXX', file '.../services/ajax.php')
>>>
>>> Still waiting for someone to tell me how a NULL character, by  
>>> itself, is a security threat.
>>
>> What if the variable is expected to be numeric and you start doing  
>> math on it?
>
> But what if the variable ends up being 0.  That's a perfectly valid  
> integer, but could cause problems if the application uses it as a  
> divisor.
>
>> Isn't the purpose of suhosin to try and catch the stuff developers  
>> didn't catch?
>
> But you can't break things that are supposed to work otherwise.   
> NULL is a perfectly acceptable input in URL parameters.
>
> And, e.g. with the 0 value above, the interpreter CAN'T possibly  
> catch/process all valid inputs.  That is the duty of the application  
> author.

I dunno.  I agree with your last paragraph, it's not suhosin's job to  
be a substitute for proper input validation.   But kinda I think that  
contradicts 'NULL is a perfectly acceptable input..'.
I mean - Do you really design an application and say "Yep, we're going  
to expect a user (or unknown entity) to send a NULL here" ?

Assuming it's coded 'properly' that variable should have been pre-set  
in code, and upon receiving a URL param with data outside the expected  
range (numerical, >0), promptly ignored it.  Or am I wrong?

Rick





More information about the imp mailing list