Bugtraq mailing list archives
Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite
From: Stefan Esser <sesser () hardened-php net>
Date: Sat, 10 Mar 2007 18:23:42 +0100
Hello Stefano, first of all. I am not angry at you, although my mail might have sounded so, but at the people that deserve it. The fault of the PHP Security Response Team is not yours. They are the ones that give credit to the wrong persons. Luckily after 2.5 years they fixed that issue (or atleast tried so).
Anyway it seems that your month of php bugs is getting php developers more sensitive to all issues... Maybe there was some misunderstanding between you and dev team and the core team was less interested in this kind of flaws at that time.
This is the goal of the MOPB. And right now it might look like the MOPB was already successfull. Unfortunately I have worked together with the PHP Security Response Team for several years and I know how they react. They might be active for a little while (especially when the media looks at them) but when that period of time is over they will continue with their old habits. Stefan Esser
Current thread:
- Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite Stefan Esser (Mar 10)
- Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite Stefano Di Paola (Mar 10)
- Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite Stefan Esser (Mar 10)
- Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite ascii (Mar 10)
- <Possible follow-ups>
- Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite Steven M. Christey (Mar 13)
- Re: Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite retrog (Mar 14)
- Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite Stefano Di Paola (Mar 10)