Chris Shiflett wrote:
--- Greg Donald <destiney@xxxxxxxxx> wrote:
http://seclists.org/lists/security-basics/2004/Dec/0080.html
Most of this is actually true.
The one statement that is unclear is the following:
"There are two kinds of flaws : - flaws inherent to the php langage itself, as seen before, in file uploads. - danger in uploading files at all on the server, not dependent on the langage used to handle the actual upload, but regarding the potential execution of uploaded files."
This may have meant meant hypothetically, meaning that there are two areas where flaws could potentially exist - in the language or in the code. If this was meant to suggest that there are existing flaws in the language, then this is never justified.
I didn't find the statemtn to be unclear: that kind of flaw can exist, and it has been seen.
There was, unless I've been severely misinformed, a file upload security bug in a PHP 4 Beta (possibly even Release Candidate). Did it make it to release? I'm sure anybody on this list can dig out that answer as fast as I, so I won't. You'll learn more finding out for yourself anyway.
<snip>
I'm pretty sure Chris is one who doesn't have to dig to find out about an old security flaw.
-- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 john@xxxxxxxxxxxx
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
