Chris Shiflett wrote: > --- Greg Donald <destiney@xxxxxxxxx> wrote: >> http://seclists.org/lists/security-basics/2004/Dec/0080.html > > Most of this is actually true. > > The one statement that is unclear is the following: > > "There are two kinds of flaws : > - flaws inherent to the php langage itself, as seen before, in file > uploads. > - danger in uploading files at all on the server, not dependent > on the langage used to handle the actual upload, but regarding > the potential execution of uploaded files." > > This may have meant meant hypothetically, meaning that there are two areas > where flaws could potentially exist - in the language or in the code. If > this was meant to suggest that there are existing flaws in the language, > then this is never justified. I didn't find the statemtn to be unclear: that kind of flaw can exist, and it has been seen. There was, unless I've been severely misinformed, a file upload security bug in a PHP 4 Beta (possibly even Release Candidate). Did it make it to release? I'm sure anybody on this list can dig out that answer as fast as I, so I won't. You'll learn more finding out for yourself anyway. Now, granted, that flaw was fixed IMMEDIATELY. And, granted, a SysAdmin who chooses to put Beta software on a server is responsible for the inherent risks involved. The point, however, that such potential flaws can exist, and could remain undetected even now in stable, released code (even PHP) is valid. I personally don't *believe* such flaws could have survived the scrutiny after the known problems were suffered by the PHP Development Team. But I don't think any professionial will claim that it's impossible for them to exist. PS For the inexperienced reader: This is, as far as I know, the ONLY known security flaw in actual PHP C source code to get anywhere near release form. But PHP is a powerful tool, and there are innumerable ways it can be used, mis-used, and just plain abused by yourself to make your own server insecure. Do the best you can to figure out how and when, and you'll do all right. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php