Full Disclosure mailing list archives
Re: PHP import_request_variables() arbitrary variable overwrite
From: ascii <ascii () katamail com>
Date: Sat, 10 Mar 2007 18:05:43 +0100
Stefan Esser wrote:
Taking into account that the vulnerability you describe is fixed in Hardened-PHP for years and that there is also a protection against this in the Suhosin Extension you can be sure that this NOT a new vulnerability (and that you are not the first one who found it...)
not being credited is really annoying and i understand your feelings but it happens, take a look here, this vulnerability was fixed 3, 4 times? http://www.ush.it/2006/01/25/php5-globals-vulnerability/ i'm sure i wasn't credited at all but who cares, i just want the bugs fixed, and i think that this is the spirit of this month
For the record, the same vulnerability was reported by me on the 23.10.2004 at 22:05 in a mail to security () php net (before I added the protection to Hardened-PHP) At that time the PHP developers considered it NOT A VULNERABILITY.
some misunderstanding in the communication between you and php team? it happens and i'm sad for it but this is not our fault fun on 21.10.2004 at 20:12 i called my grandmother but she was sleeping, she is an old lady and it's normal to fall asleep at that age : ) /fun i think that it's possible that your month of php bugs could have changed the way php devs look to vulnerabilities (if so the goal is fully reached) or it could be the full disclosure i mean: why don't publish something you found in 2004? just post an advisory of the type "i found this, they said NO-NO, this is the bug, use my products to get protection"
Well now the PHP developers have commited a fix for this to the PHP CVS, crediting you instead of the original reporter (me) and as usual the fix is only fixing a part of the problem.
umh.. next time publish your findings : ) you will get credit from the beginning and the bug will be fixed my feeling is that it's important to fix software, any way is allowed: if internal disclosure doesn't work i'll post to fd, or post directly to fd and while your products are valid and i personally use them my guess is that it's more important to fix things in php itself as from the statement you made "initiative to improve PHP's security" if there are other things in your products that are not fixed in php why don't publish them?
(Hint: long names like HTTP_POST_VARS do exist...)
the just fixed _POST and so on? nice : ) i really appreciate your work with php, keep up with the disclosure! Regards, Francesco 'ascii' Ongaro http://www.ush.it/ ps: add some smiles in your mails or people will get confused about the tone of your speaking : ) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PHP import_request_variables() arbitrary variable overwrite Stefano Di Paola (Mar 08)
- Re: PHP import_request_variables() arbitrary variable overwrite Stefan Esser (Mar 10)
- Re: PHP import_request_variables() arbitrary variable overwrite ascii (Mar 10)
- Re: PHP import_request_variables() arbitrary variable overwrite Stefano Di Paola (Mar 10)
- Re: PHP import_request_variables() arbitrary variable overwrite Stefan Esser (Mar 10)
- Re: PHP import_request_variables() arbitrary variable overwrite Stefan Esser (Mar 10)