Finally got a few moments to recap the PHP Quebec 2006 Conference, which as usual, was a great success and a great deal of fun. I’d like to thank the organizers for doing an amazing job and bringing a great group of people together from both the development and user communities. My talks during the conference went quite well, and I am especially happy with the PDO talk, this topic seemed of particular interest to the audience and I hope we’d get a couple of new PDO users out of it The slides from my talks are now available online and can be found here:
we can see such exploit
Exploiting Code in Previous Slide
While the code on the previous slide works, it
can be trivially exploited, due to its usage of
But what can hacker do with it? What advantages it will make wor him?
Well, a hacker could send repeated calls to the script making it crash over and over again. This will in turn spike resource consumption on the server potentially leading to a denial of service attacks.
There is a mistake in the presentation, regarding HTTP response splitting.
HTTP response splitting is still possible even after the "fix" in PHP 5.1.2, see
http://www.securiteam.com/securityreviews/5CP0L0AHPC.html (published February 2006, before your presentation).
This also means the exclusion approach is imperfect.
Thanks for the informative article as far as I understand the fix would only not work on servers/proxies that violate the RFC. Contrary to article's author I hardly think that is a common case and use of software that blatantly violates RFC for no good reason should be avoided whenever possible.
1. In the article, SunONE proxy server is mentioned as one of those softwares. It is quite popular.
2. If we are to avoid "software that blatanltly violates RFC for no good reason", this means we need to avoid Apache. Apache treats horizontal tab (\t) as SPACE in the URL line (see http://www.securityfocus.com/archive/1/411585). Do you seriously expect people to abandon Apache?