NYCPHP Meetup

NYPHP.org

[nycphp-talk] Upcoming Month of PHP Bugs (michael)

Nate Abele nate at cakephp.org
Wed Feb 21 20:56:13 EST 2007 

> Date: Wed, 21 Feb 2007 15:15:04 -0500
> From: csnyder <chsnyder at gmail.com>
> Subject: Re: [nycphp-talk] Re: Upcoming Month of PHP Bugs (michael)
> To: "NYPHP Talk" <talk at lists.nyphp.org>
>
> On 2/21/07, Nate Abele <nate at cakephp.org> wrote:
>> Despite the claims, I'm not so sure that most of these security
>> issues couldn't be mitigated with a proper server configuration and a
>> well-designed application.  While I'm sure there are vulnerabilities
>> that exist in a *stock* installation of PHP (especially in older
>> versions where things like register_globals and allow_url_fopen were
>> enabled by default... wait... is allow_url_fopen *still* enabled by
>> default??), there's a lot you can do to in terms of configuration to
>> minimize your application's target profile.
>>
>> Also, I seem to remember Chris Shiflett having some clarifying
>> comments on Stefan and his Sohusin project, so perhaps he could weigh
>> in here (hint, hint ;-).
>
> Hi Nate, top posting as usual I see.

My bad.  I read the list in digest form, so it's out of habit from  
the way in which I typically respond to email.  I'll consider myself  
warned. :-P

> So for the sake of argument, let's say there there's a buffer overflow
> vulnerability in getimagesize(), that could be exploited by a
> carefully crafted jpeg. It doesn't matter at that point how careful
> you were when you wrote your app. As soon as an attacker (er, script
> kiddie) uploads a poison jpeg, she owns your server.
>
> These are the kinds of bugs Esser is talking about, not the XSS or SQL
> injection attacks that are typically the fault of an application
> developer.

Chris, I didn't say *all* of the security issues Stefan raises  
weren't legitimate, I said *most*.  Looking over the article, Stefan  
mentions things like register_globals and magic_quotes_gpc, both of  
which, I'm sure you'll agree are poor excuses for proper implementation.

Obviously, we have yet to see the actual list of flaws disclosed, so  
until then, we're pretty much all in the same boat.

- Nate

More information about the talk mailing list