-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Benjamin Scott hath spake thusly:
> On Thu, 7 Mar 2002, at 11:15am, [EMAIL PROTECTED] wrote:
> > I'm confused as to how this would work. The man page is talking
> > about the invocation of a specific method, i.e. the 'import_
On Thu, 7 Mar 2002, at 11:15am, [EMAIL PROTECTED] wrote:
> I'm confused as to how this would work. The man page is talking
> about the invocation of a specific method, i.e. the 'import_names()'
> method.
>
> It sounded like things "just happened", when in fact, you must invoke
> this method i
OK, does anyone else see this? Paul and Ben are saying exactly the
same thing: It's a matter of bad programming, not a bad programming
language. Now, the truly amazing thing is that Paul and Ben
actually agree on something. The slightly less astounding fact
is that they are *STILL* arguing, des
The example in PHP that I have is a recipe server that has a variable
number of ingredients. You can add more than the default (5) and then
pass them back to the server and have it added. This made some real fun
on both ends, with me having to create variables like ingred0 through
ingred10. It
In a message dated: Thu, 07 Mar 2002 11:11:59 EST
Benjamin Scott said:
>From the Perl CGI(3) manual page:
>> This creates a series of variables in the 'R' namespace. For example,
>> $R::foo, @R:foo. For keyword lists, a variable @R::keywords will appear.
>> If no namespace is given, this meth
In a message dated: 07 Mar 2002 11:03:59 EST
Mark Komarinski said:
>Nope. You can have variables pre-set when the script starts from
>both perl and PHP. I have to use it since I have forms that send
>a variable number of variables to the controlling script. It's a lot
>easier to just pull the
On Thu, 7 Mar 2002, at 10:54am, [EMAIL PROTECTED] wrote:
> I don't believe these can be set from a web form.
>From the Perl CGI(3) manual page:
> This creates a series of variables in the 'R' namespace. For example,
> $R::foo, @R:foo. For keyword lists, a variable @R::keywords will appear.
> I
Nope. You can have variables pre-set when the script starts from
both perl and PHP. I have to use it since I have forms that send
a variable number of variables to the controlling script. It's a lot
easier to just pull the variables out of thin air than set up all
the code to figure out how man
In a message dated: Thu, 07 Mar 2002 10:33:41 EST
Benjamin Scott said:
>> Also, things like path, shell, and other environmental variables are all
>> set using the global "%ENV" hash, which *should* be cleared out and set to
>> known, safe, and accepted defaults.
>
> Which won't matter much if
On Thu, 7 Mar 2002, at 8:40am, [EMAIL PROTECTED] wrote:
>> Using this feature, an HTML form variable called "foo" results in a
>> language variable called "$foo" (in Perl, at least). So the attacker
>> submits the "form" with extra variables that do things like change your
>> path, shell, interna
In a message dated: Thu, 07 Mar 2002 08:36:13 EST
Benjamin Scott said:
> Using this feature, an HTML form variable called "foo" results in a
>language variable called "$foo" (in Perl, at least). So the attacker
>submits the "form" with extra variables that do things like change your
>path, she
On Thu, 7 Mar 2002, at 7:54am, [EMAIL PROTECTED] wrote:
>> I note that Perl's CGI module has an identical feature (the ability to set
>> language variables from an HTML form).
>
> Please clarify if I'm misunderstanding what you're talking about.
Using this feature, an HTML form variable called
In a message dated: Thu, 07 Mar 2002 00:03:30 EST
Benjamin Scott said:
> I note that Perl's CGI module has an identical feature (the ability to set
>language variables from an HTML form). Still does, AFAIK. I'm not trying
>to compare Perl to PHP here, just point out that tools that allow you
On Wed, 6 Mar 2002, at 10:50pm, bryan wrote:
>> (Yes, I realize this is about as far from scientific as you can get, but
>> it is all I have.)
>
> most of my mod_perl produced web pages have URL's that end in .html or .htm
Yah, you can do the same for PHP. Or most web languages, for that matte
On Wed, 6 Mar 2002, at 11:49pm, Derek D. Martin wrote:
> Oh you're such a pain! You know where I get this stuff, and you can
> search SF just as easily as I can... :-P
Yes, but I do not know *which* message you are referring to. :-)
> http://online.securityfocus.com/archive/1/245872
In
> "Abandoned" is too strong a word, but based on random web browsing, PHP
> is significantly more popular for web development than Perl is. I see
> ".php" in URLs far more often than I see ".pl". (Yes, I realize this is
> about as far from scientific as you can get, but it is all I have.)
mos
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Benjamin Scott hath spake thusly:
> On Tue, 5 Mar 2002, at 11:01pm, Derek D. Martin wrote:
> > And they've in fact made design changes to reduce the negative impact of
> > those original design decisions, and in Dec 2001 releas
On Tue, 5 Mar 2002, at 11:01pm, Derek D. Martin wrote:
> And they've in fact made design changes to reduce the negative impact of
> those original design decisions, and in Dec 2001 released an advisory to
> that effect.
Reference? Not that I disbelieve you, but I would like to check it out.
>
"Derek D. Martin" wrote:
>
> > I think the problem you are seeing is that your average web designer
> > cannot code worth a damn.
>
> I definitely agree that this is a huge factor. But that does not go
> very far to explain why there have been reletively few Perl-related
> advisories recently
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Benjamin Scott hath spake thusly:
> > There are also some earlier advisories which complain about the design of
> > PHP encouraging the development of insecure code. It seems that writing
> > secure PHP scripts is also very di
On Tue, 5 Mar 2002, at 4:30pm, Derek D. Martin wrote:
> However, just this year:
>
> http://online.securityfocus.com/archive/1/258995
> http://online.securityfocus.com/archive/1/258662
I believe these two are the same issue, the one originally under
discussion in this thread.
> http://online.
Anybody know anything about moto or have any opinion on it, especially
security-wise? It's at http://www.webcodex.com/moto/.; I ask because I
*really* like the idea that it (supposedly) makes it easy to build a
web application that you can first intepret (for development) and later
compile int
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Rodent of Unusual Size hath spake thusly:
> "Derek D. Martin" wrote:
> >
> > I'll go one better than that. If you use PHP, STOP. They have
> > security bulletins released about once a week, it seems (o.k. I'm
> > exaggeratin
On Tue, 5 Mar 2002, at 3:27pm, Rodent of Unusual Size wrote:
>> I'll go one better than that. If you use PHP, STOP.
>
> Eh, I don't buy that. Please back it up with some references.
Yah, ditto. This is the first serious PHP security bulletin I've seen in
recent memory.
--
Ben Scott <[EMAI
"Derek D. Martin" wrote:
>
> I'll go one better than that. If you use PHP, STOP. They have
> security bulletins released about once a week, it seems (o.k. I'm
> exaggerating A LITTLE). About the only "vendor" with more frequent
> releases is Microsoft...
Eh, I don't buy that. Please back it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At some point hitherto, Karl J. Runge hath spake thusly:
> Call me "chicken little", but I am getting worried about the looming
> Apache/PHP vulnerability out there:
>
> http://news.com.com/2100-1001-850752.html?tag=cd_mh
> http://sec
On Tue, 5 Mar 2002, Benjamin Scott <[EMAIL PROTECTED]> wrote:
>
> My understanding is that this hole does not lead directly to privilege
> elevation. In other words, it might lead to compromise of the "nobody"
> account or similar, but not full root access (like CodeRed). Am I correct
> her
On Tue, 5 Mar 2002, at 9:01am, Karl J. Runge wrote:
> Call me "chicken little", but I am getting worried about the looming
> Apache/PHP vulnerability out there:
My understanding is that this hole does not lead directly to privilege
elevation. In other words, it might lead to compromise of the
Call me "chicken little", but I am getting worried about the looming
Apache/PHP vulnerability out there:
http://news.com.com/2100-1001-850752.html?tag=cd_mh
http://security.e-matters.de/advisories/012002.html
http://www.cert.org/advisories/CA-2002-05.html
If you have a we
29 matches
Mail list logo
