[VIM] TCExam - 'XSS' is dynamic variable evaluation; vendor patch
Steven M. Christey
coley at mitre.org
Tue May 1 23:38:46 UTC 2007
Researcher: rgod
Ref: http://www.milw0rm.com/exploits/3816
rgod reported as XSS, but to quote him, it's also "God only knows
what", due to dynamic variable evaluation:
// --- get posted and get variables (to be compatible with register_globals off)
foreach ($_REQUEST as $postkey => $postvalue) {
$$postkey = $postvalue;
}
The latest version has this fix:
foreach ($_REQUEST as $postkey => $postvalue) {
if (($postkey{0} != '_') AND
(!preg_match("/[A-Z]/", $postkey{0}))) {
$$postkey = $postvalue;
}
}
which smells like a loose regular expression to me that will still
allow modification of arbitrary lowercase variables, but I didn't look
into whether there were security ramifications.
- Steve
More information about the VIM
mailing list