Date: Sun, 15 Oct 2006 14:08:03 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: PHP new vulnarabilities Message-ID: <E00137373E5BAB432E949CD3@paul-schmehls-powerbook59.local> In-Reply-To: <20061015145034.0f039b05.wmoran@collaborativefusion.com> References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> <20061015145034.0f039b05.wmoran@collaborativefusion.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========98E5C5E006D6988528E9========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On October 15, 2006 2:50:34 PM -0400 Bill Moran=20 <wmoran@collaborativefusion.com> wrote: > > Have you looked at the vulnerability? There are only certian coding > instances that would actually open this up to any attack vector. Since > the bug is in unserialize, it's pretty easy audit a program to ensure > that it isn't vulnerable. > > "absolute fool" seems a little extreme. Perhaps. How many people are talented enough to understand the=20 vulnerability and how it's exploited and know *for certain* that they=20 won't have a problem? It would be different if we were talking about an app that isn't exploited = much. Php is exploited every day, even when it's fully patched, due to=20 the complexity of the attacks and the lack of understanding of most people = who code in php. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========98E5C5E006D6988528E9==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E00137373E5BAB432E949CD3>