[pLog-svn] Fwd: php vulnerability
Jon Daley
plogworld at jon.limedaley.com
Thu Sep 7 12:30:36 GMT 2006
ip2long has a bug in it. We use it in IpRangeRule and
IpMatchValidator.
As far as I can tell, we only use IpMatchValidator in the
hostblock plugin. (which maybe we aren't validating ips before we put
them in the referrer) Maybe we are just stripping non-numerics.
The php manual has some good advice about using ip2long like this:
if(long2ip(ip2long($ip)) != $ip)
fail;
This will catch some cases where there are invalid ips, like "10.0.0" and
the final zero is assumed, and I believe will also catch the SQL
injections as well.
---------- Forwarded message ----------
Date: Thu, 7 Sep 2006 02:23:07 -0400 (EDT)
From: daemon
Subject: Debian security status of tangerine.limedaley.com
CVE-2006-4023
<http://idssi.enyo.de/tracker/CVE-2006-4023>
- php4
- php4-cgi
- php4-common
- php4-curl
- php4-dev
- php4-gd
- php4-mysql
- php4-pgsql
- php5
- php5-cgi
- php5-common
- php5-curl
- php5-gd
- php5-mysql
- php5-pgsql
More information about the pLog-svn
mailing list