Re: PHP Update .. details

2004-12-25 Thread Harry Sufehmi 
Initially a few CVE numbers were assigned and then later withdrawn when it 
became clear that the issues could only be exploited by a user who wrote a 
malicious PHP script - not a remote issue, or too serious. (Given that if 
you had the ability to write evil PHP code you cold just run 'system('rm 
..');'.
-

Just would like to draw your attention to the following page:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046
Basically, they claim that phpBB v2.0.11 running on PHP version < 4.3.10 
becomes remotely vulnerable, and they claim there are exploits on the wild 
-- which backs their claim, and makes it definitely a serious issue.

When PHP upgraded to 4.3.10, it's no longer vulnerable.
Being a layman, I'm not able to confirm that claim. However, the fact that 
this is an official announcement from them, I think it's worth reading over 
at least.
Hopefully Debian security team will be convinced to patch php4 package then.

Thanks,
Harry
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: PHP Update .. details

2004-12-23 Thread Hans Kratz 
Hi!

>   It's looking like there won't be an update to PHP for Woody, because
>  the majority of the PHP issues aren't relevent.
> 
>   Initially a few CVE numbers were assigned and then later withdrawn
>  when it became clear that the issues could only be exploited by a
>  user who wrote a malicious PHP script - not a remote issue, or too
>  serious.  (Given that if you had the ability to write evil PHP code
>  you cold just run 'system('rm ..');'.

Unfortunately those vulnerabilities can be exploited by a user to
execute arbitrary code with the priviledges of the user running the
web server (www-data on woody). This defeats the purpose of the PHP
"safe mode" (http://www.php.net/manual/en/features.safe-mode.php) on
which many ISPs rely.

If the Debian project does not want to fix those issues IMHO Debian
should make an official statement that using the PHP safe mode with
Debian Woody does not offer the security one would expect.


Regards,


Hans
--
Hans Kratz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]