On Wed, 2007-07-11 at 23:38 +0200, Rainer Duffner wrote: > Am 11.07.2007 um 20:53 schrieb Bill Marquette: > > > I know of no official audit of our code. Nor have I ever seen a post > > to bugtraq, full-disclosure, or anything on secunia. But take that > > for what it's worth...nothing. > > > > > A code audit of the GUI/back-end would be pretty nice.
But at this point, largely pointless. If you can touch any PHP page now, you have root access (you must first pass HTTP basic auth). We know there are probably issues in a number of the pages, but it doesn't matter. No point in worrying about what someone with root access can do to your system - they, by definition, can do anything. Nobody is going to try to exploit PHP bugs when they have root access already. The things to worry about would be FreeBSD issues, and issues in included components. None of the included components have a bad security track record. Rainer's post contained a number of other good points I won't duplicate. I use PIX firewalls extensively. To compare vulnerabilities based on my memory from the last couple years, the PIX has had quite a few more (though not very many itself). We've actually yet to release a single pfsense version for security reasons, none of the FreeBSD and related vulnerabilities discovered have been applicable to the system at this point (knock on wood). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
