On 13 October 2010 05:25, Thijs Lensselink <dev@xxxxxxxx> wrote: > ÂOn 10/13/2010 12:19 AM, Daevid Vincent wrote: >> >> http://80vul.com/Zend%20studio/Zend%20studio%20location%20Cross.htm >> >> Interesting. A co-worker and I were JUST noticing how our PHPDoc comments >> were being parsed pretty much verbatim including<b> Âtags and links and >> stuff and thought, "wow, that's stupid, that's just a XSS or injection >> waiting to happen". LOL. Guess someone's ears were burning. ;-) >> >> > > Why didn't you inform Zend before you went full disclosure? > > It's a nasty bug though!! Yesterday, I installed PDT for the first time. Created the scenario for this vulnerability. Get an exception. MS Visual Studio shows a HTML block with the <script> tag in it and that is highlighted as the error. "Microsoft JScript runtime error: Automation server can't create object". -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
