Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:15781
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27588 invoked by uid 1010); 4 Apr 2005 05:07:33 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 27573 invoked from network); 4 Apr 2005 05:07:32 -0000
Received: from unknown (HELO lerdorf.com) (127.0.0.1)
  by localhost with SMTP; 4 Apr 2005 05:07:32 -0000
X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.4/2.6
Received: from ([204.11.219.139:40196] helo=colo.lerdorf.com)
	by pb1.pair.com (ecelerity HEAD r(5268)) with SMTP
	id 9E/35-19272-39BC0524 for <internals@lists.php.net>; Mon, 04 Apr 2005 01:07:32 -0400
Received: from [192.168.2.106] (c-24-6-1-160.hsd1.ca.comcast.net [24.6.1.160])
	(authenticated bits=0)
	by colo.lerdorf.com (8.13.4/8.13.4/Debian-1) with ESMTP id j344ZxNr013348
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Sun, 3 Apr 2005 21:36:00 -0700
Message-ID: <4250C42F.7070608@lerdorf.com>
Date: Sun, 03 Apr 2005 21:35:59 -0700
User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20050217)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Mark Krenz <mark@suso.org>
CC: internals@lists.php.net
References: <20050404043233.GV32563@arvo.suso.org>
In-Reply-To: <20050404043233.GV32563@arvo.suso.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Should I report this bug/exploit?
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Such issues should be directed to security@php.net

Mark Krenz wrote:
>   Hi,  I've been using PHP for a long time and have recently found a
> couple of major bugs that would allow pretty much any user on a shared
> web hosting server to read other user's files.  The conditions for this
> exploit are quite common.   Also, from what I can tell, this exploit
> would not be very easy to fix and in fact may not be fixable until a
> peruser MPM for Apache is completely ready (Like perchild or Metux).
> It could be that you already know about this problem but have also not
> reported it.  I couldn't find any other information about it from doing
> some searches.
> 
>   This leads me to wonder, is it a good idea to make this vulnerability
> known?  On the one hand, releasing the information would allow admins
> and developers to try to fix it, but on the other hand, if its not
> immediately fixable it would allow for a large window of opportunity for
> attacks.  Thus, I came to this list for some advice on what I should do.
> Maybe I could at least email one of your privately so that you can see
> what it is.
> 
> Thanks,
> 
> Mark
>