Re: etomite xss
After researching this threat it appears that this is not a direct issue with
Etomite itself but, rather, an exploit which server security lets through... I
have tested several different scripts on several servers and have found this to
be the case...
The variable is actually $_SERVER['PHP_SELF'] and not $_SERVER['PHP_INFO']
which doesn't exist... While running $_SERVER['PHP_SELF'] through
htmlentities() is a round-about solution, this fix would need to be present in
virtually every PHP script opening accessible on the internet unless the
exploit possibility is handled at the server level...
Final disposition... This is not an Etomite specific exploit and I would like
the report rescinded...
Ralph Dahlgren
Lead Developer - The Etomite Project