Re: [Phplib-users] phplib 6.1, php3 and php4
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] phplib 6.1, php3 and php4
|
From: Richard A. <rh...@ju...> - 2002-01-24 05:59:46
|
At 11:04 PM -0600 23/1/02, Lindsay Haisley wrote: >Thus spake Richard Archer on Wed, Jan 23, 2002 at 10:35:32PM CST >> I fixed a cross-site scripting vulnerability in PHPLIB last >> October. I'm pretty sure that problem would have been there since >> version 6.1 (although that version pre-dates my use of PHPLIB). >> Consult the source forge bug tracker for more info. > >Did it make it into their database? I committed it straight into the SourceForge CVS. It was fixed following a bug report posted to the SourceForge bug tracker, which is why I referred you there for further information. It's at (watch the long lines): http://sourceforge.net/tracker/index.php?func=detail&aid=450712&group_id=31885&atid=403611 You can also read my CVS commit comment and my addition to the CHANGES file via the SourceForge CVS. http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phplib/php-lib-stable/CHANGES.diff?r1=1.8&r2=1.9 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phplib/php-lib-stable/php/session.inc (version 1.12) >> I also re-worked the optional md5 hash login forms. Probably not an >> issue for you since I don't think this was a feature of 6.1, however >> it is an example of another security upgrade to PHPLIB. > >Yes, it's in 6.1 and I use it, although it's mostly for private pages that >no one knows about that are for internal company use. I've reworked the >form many times. Is there a security problem of some sort in the md5 hash. The javascript failed on modern browsers and defaulted to sending the plain text password. This wasn't apparent unless you used a sniffer or added debug code to the PHP script to verify exactly what was going on. http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phplib/php-lib-stable/php/crcloginform.ihtml http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phplib/php-lib-stable/php/crloginform.ihtml >My main misson on this list was >to find out about incompatibilities between phplib v6.1 and php4, and it >seems that I struck out on this, but at least a portion of the traffic I've >received from the list has been helpful in other regards. Well, I think I made about a dozen changes to 7.2d to fix PHP4 problems. I bet there are a whole lot more between 6.1 and 7.2d!!! There used to exist a document with some hints to help with the upgrade from v6 to v7. I don't seem to be able to find it now. I think it mainly pointed out the changes in the session database tables. ...R. |
