Quoting Michael M Slusarz <slus...@horde.org>:
Quoting Rick Romero <r...@havokmon.com>:
Quoting Michael M Slusarz <slus...@horde.org>:
Quoting Olivier <oliv...@ablinux.com>:
suhosin[2446]: ALERT - ASCII-NUL chars not allowed within
request variables - dropped variable 'view' (attacker
'XXX.XXX.XXX.XXX', file '.../services/ajax.php')
Still waiting for someone to tell me how a NULL character, by
itself, is a security threat.
What if the variable is expected to be numeric and you start doing
math on it?
But what if the variable ends up being 0. That's a perfectly valid
integer, but could cause problems if the application uses it as a
divisor.
Isn't the purpose of suhosin to try and catch the stuff developers
didn't catch?
But you can't break things that are supposed to work otherwise.
NULL is a perfectly acceptable input in URL parameters.
And, e.g. with the 0 value above, the interpreter CAN'T possibly
catch/process all valid inputs. That is the duty of the application
author.
I dunno. I agree with your last paragraph, it's not suhosin's job to
be a substitute for proper input validation. But kinda I think that
contradicts 'NULL is a perfectly acceptable input..'.
I mean - Do you really design an application and say "Yep, we're going
to expect a user (or unknown entity) to send a NULL here" ?
Assuming it's coded 'properly' that variable should have been pre-set
in code, and upon receiving a URL param with data outside the expected
range (numerical, >0), promptly ignored it. Or am I wrong?
Rick
--
IMP mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
