From owner-freebsd-questions@FreeBSD.ORG Sun Oct 15 19:08:10 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D31016A407 for ; Sun, 15 Oct 2006 19:08:10 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9103143D58 for ; Sun, 15 Oct 2006 19:08:06 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.102] (adsl-65-69-141-242.dsl.rcsntx.swbell.net [65.69.141.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id 67F79114307 for ; Sun, 15 Oct 2006 14:09:14 -0500 (CDT) Date: Sun, 15 Oct 2006 14:08:03 -0500 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: In-Reply-To: <20061015145034.0f039b05.wmoran@collaborativefusion.com> References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> <20061015145034.0f039b05.wmoran@collaborativefusion.com> X-Mailer: Mulberry/4.0.5 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========98E5C5E006D6988528E9==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: PHP new vulnarabilities X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2006 19:08:10 -0000 --==========98E5C5E006D6988528E9========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On October 15, 2006 2:50:34 PM -0400 Bill Moran=20 wrote: > > Have you looked at the vulnerability? There are only certian coding > instances that would actually open this up to any attack vector. Since > the bug is in unserialize, it's pretty easy audit a program to ensure > that it isn't vulnerable. > > "absolute fool" seems a little extreme. Perhaps. How many people are talented enough to understand the=20 vulnerability and how it's exploited and know *for certain* that they=20 won't have a problem? It would be different if we were talking about an app that isn't exploited = much. Php is exploited every day, even when it's fully patched, due to=20 the complexity of the attacks and the lack of understanding of most people = who code in php. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========98E5C5E006D6988528E9==========--