[pmwiki-users] Custom PageVariables from request strings: critical vulnerability
Oliver Betz
list_ob at gmx.net
Sat Feb 27 05:58:22 CST 2016
Petko Yotov wrote 2015-12-19:
>
> This message concerns you if your wiki creates custom page variables
> which get their values from request strings like the URL address of the
> page.
>
> The previously documented recommended way to sanitize such values can
> allow PHP code injection in some cases.
>
> The following is very insecure:
>
> $FmtPV['$Var'] = $_REQUEST['Var']; # insecure
> $FmtPV['$Var'] = '"'. addslashes($_REQUEST['Var']).'"'; # insecure
is htmlspecialchars vulnerable?
Oliver
More information about the pmwiki-users
mailing list