Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15778
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Mon, 4 Apr 2005 04:32:33 +0000
To: internals@lists.php.net
Message-ID: <20050404043233.GV32563@arvo.suso.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6i
Subject: Should I report this bug/exploit?
From: mark@suso.org (Mark Krenz)


  Hi,  I've been using PHP for a long time and have recently found a
couple of major bugs that would allow pretty much any user on a shared
web hosting server to read other user's files.  The conditions for this
exploit are quite common.   Also, from what I can tell, this exploit
would not be very easy to fix and in fact may not be fixable until a
peruser MPM for Apache is completely ready (Like perchild or Metux).
It could be that you already know about this problem but have also not
reported it.  I couldn't find any other information about it from doing
some searches.

  This leads me to wonder, is it a good idea to make this vulnerability
known?  On the one hand, releasing the information would allow admins
and developers to try to fix it, but on the other hand, if its not
immediately fixable it would allow for a large window of opportunity for
attacks.  Thus, I came to this list for some advice on what I should do.
Maybe I could at least email one of your privately so that you can see
what it is.

Thanks,

Mark

-- 
Mark S. Krenz
IT Director
Suso Technology Services, Inc.
http://suso.org/