Re: Re: PHP Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chris Shiflett wrote:
> --- Greg Donald <destiney@xxxxxxxxx> wrote:
>> http://seclists.org/lists/security-basics/2004/Dec/0080.html
>
> Most of this is actually true.
>
> The one statement that is unclear is the following:
>
>     "There are two kinds of flaws :
>     - flaws inherent to the php langage itself, as seen before, in file
>     uploads.
>     - danger in uploading files at all on the server, not dependent
>     on the langage used to handle the actual upload, but regarding
>     the potential execution of uploaded files."
>
> This may have meant meant hypothetically, meaning that there are two areas
> where flaws could potentially exist - in the language or in the code. If
> this was meant to suggest that there are existing flaws in the language,
> then this is never justified.

I didn't find the statemtn to be unclear:  that kind of flaw can exist,
and it has been seen.

There was, unless I've been severely misinformed, a file upload security
bug in a PHP 4 Beta (possibly even Release Candidate).  Did it make it to
release?  I'm sure anybody on this list can dig out that answer as fast as
I, so I won't.  You'll learn more finding out for yourself anyway.

Now, granted, that flaw was fixed IMMEDIATELY.

And, granted, a SysAdmin who chooses to put Beta software on a server is
responsible for the inherent risks involved.

The point, however, that such potential flaws can exist, and could remain
undetected even now in stable, released code (even PHP) is valid.

I personally don't *believe* such flaws could have survived the scrutiny
after the known problems were suffered by the PHP Development Team.

But I don't think any professionial will claim that it's impossible for
them to exist.

PS
For the inexperienced reader:  This is, as far as I know, the ONLY known
security flaw in actual PHP C source code to get anywhere near release
form.

But PHP is a powerful tool, and there are innumerable ways it can be used,
mis-used, and just plain abused by yourself to make your own server
insecure.

Do the best you can to figure out how and when, and you'll do all right.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux