Date: Sun, 15 Oct 2006 14:08:03 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: PHP new vulnarabilities Message-ID: <E00137373E5BAB432E949CD3@paul-schmehls-powerbook59.local> In-Reply-To: <20061015145034.0f039b05.wmoran@collaborativefusion.com> References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> <20061015145034.0f039b05.wmoran@collaborativefusion.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On October 15, 2006 2:50:34 PM -0400 Bill Moran <wmoran@collaborativefusion.com> wrote: > > Have you looked at the vulnerability? There are only certian coding > instances that would actually open this up to any attack vector. Since > the bug is in unserialize, it's pretty easy audit a program to ensure > that it isn't vulnerable. > > "absolute fool" seems a little extreme. Perhaps. How many people are talented enough to understand the vulnerability and how it's exploited and know *for certain* that they won't have a problem? It would be different if we were talking about an app that isn't exploited much. Php is exploited every day, even when it's fully patched, due to the complexity of the attacks and the lack of understanding of most people who code in php. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E00137373E5BAB432E949CD3>