Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15779
Return-Path: <mark@suso.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 12305 invoked by uid 1010); 4 Apr 2005 04:50:22 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 12288 invoked from network); 4 Apr 2005 04:50:22 -0000
Received: from unknown (HELO suso.org) (127.0.0.1)
  by localhost with SMTP; 4 Apr 2005 04:50:22 -0000
X-Host-Fingerprint: 216.9.132.134 arvo.suso.org Linux 2.5 (sometimes 2.4) (4)
Received: from ([216.9.132.134:40290] helo=arvo.suso.org)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id C7/54-19272-E87C0524 for <internals@lists.php.net>; Mon, 04 Apr 2005 00:50:22 -0400
Received: by arvo.suso.org (Postfix, from userid 509)
	id 9DFE213133F; Mon,  4 Apr 2005 04:50:58 +0000 (GMT)
Date: Mon, 4 Apr 2005 04:50:58 +0000
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: internals@lists.php.net
Message-ID: <20050404045058.GW32563@arvo.suso.org>
References: <20050404043233.GV32563@arvo.suso.org> <4250C42F.7070608@lerdorf.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4250C42F.7070608@lerdorf.com>
User-Agent: Mutt/1.5.6i
Subject: Re: [PHP-DEV] Should I report this bug/exploit?
From: mark@suso.org (Mark Krenz)


  Is that a publically accessable mailing list or does it just go to a
few people?

On Mon, Apr 04, 2005 at 04:35:59AM GMT, Rasmus Lerdorf [rasmus@lerdorf.com] said the following:
> Such issues should be directed to security@php.net
> 
> Mark Krenz wrote:
> >  Hi,  I've been using PHP for a long time and have recently found a
> >couple of major bugs that would allow pretty much any user on a shared
> >web hosting server to read other user's files.  The conditions for this
> >exploit are quite common.   Also, from what I can tell, this exploit
> >would not be very easy to fix and in fact may not be fixable until a
> >peruser MPM for Apache is completely ready (Like perchild or Metux).
> >It could be that you already know about this problem but have also not
> >reported it.  I couldn't find any other information about it from doing
> >some searches.
> >
> >  This leads me to wonder, is it a good idea to make this vulnerability
> >known?  On the one hand, releasing the information would allow admins
> >and developers to try to fix it, but on the other hand, if its not
> >immediately fixable it would allow for a large window of opportunity for
> >attacks.  Thus, I came to this list for some advice on what I should do.
> >Maybe I could at least email one of your privately so that you can see
> >what it is.
> >
> >Thanks,
> >
> >Mark
> >
> 


-- 
Mark S. Krenz
IT Director
Suso Technology Services, Inc.
http://suso.org/