[nycphp-talk] Re: Upcoming Month of PHP Bugs (michael)
Hans Zaunere
lists at zaunere.com
Wed Feb 21 22:49:39 EST 2007
csnyder wrote on Wednesday, February 21, 2007 3:15 PM:
> On 2/21/07, Nate Abele <nate at cakephp.org> wrote:
> > Despite the claims, I'm not so sure that most of these security
> > issues couldn't be mitigated with a proper server configuration and
> > a well-designed application. While I'm sure there are
> > vulnerabilities that exist in a *stock* installation of PHP
> > (especially in older versions where things like register_globals
> > and allow_url_fopen were enabled by default... wait... is
> > allow_url_fopen *still* enabled by default??), there's a lot you
> > can do to in terms of configuration to minimize your application's
> > target profile.
> >
> > Also, I seem to remember Chris Shiflett having some clarifying
> > comments on Stefan and his Sohusin project, so perhaps he could
> > weigh in here (hint, hint ;-).
>
> Hi Nate, top posting as usual I see.
>
> So for the sake of argument, let's say there there's a buffer overflow
> vulnerability in getimagesize(), that could be exploited by a
> carefully crafted jpeg. It doesn't matter at that point how careful
> you were when you wrote your app. As soon as an attacker (er, script
> kiddie) uploads a poison jpeg, she owns your server.
So... is this a bug in PHP or GD? :)
> These are the kinds of bugs Esser is talking about, not the XSS or SQL
> injection attacks that are typically the fault of an application
> developer.
But yes, I agree - it's talking about these types of buffer overflows and
classic C security problems that I think made us all pay attention to this
announcement.
The classic PHP quagmire, of course, is that there's a fine line between a
problem in PHP/ZE core, and a problem in a linked library. There are likely
problems on both sides of the fence.
If Esser comes out with legitimate critical bugs on the PHP/ZE side, then
it's going to have a long term consequence. Otherwise, it'll be disregarded
as hype.
---
Hans Zaunere / President / New York PHP
www.nyphp.org / www.nyphp.com
More information about the talk
mailing list