Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27378 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 75199 invoked by uid 1010); 11 Jan 2007 18:59:46 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 75184 invoked from network); 11 Jan 2007 18:59:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Jan 2007 18:59:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.146.188 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.146.188 mo-p07-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.188] ([81.169.146.188:29017] helo=mo-p07-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 18/69-15642-22986A54 for ; Thu, 11 Jan 2007 13:59:46 -0500 Received: from [192.168.1.77] (p5B005093.dip.t-dialin.net [91.0.80.147]) by post.webmailer.de (klopstock mo24) (RZmta 3.11) with ESMTP id j0BG7uPl00261C; Thu, 11 Jan 2007 19:59:43 +0100 (MET) Date: Thu, 11 Jan 2007 19:59:43 +0100 (MET) Message-ID: <45A6891E.8070302@hardened-php.net> User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Stanislav Malyshev CC: internals@lists.php.net References: <20070111144144.GV15998@mint.phcomp.co.uk> <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net> <45A67E74.1080904@zend.com> In-Reply-To: <45A67E74.1080904@zend.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Comments on PHP security From: sesser@hardened-php.net (Stefan Esser) > I wonder what do you mean by that - that PHP group should publish > press release "PHP is not secure, please do not use it anymore" or > what? I see PHP group is working quite well eliminating the security > issues. As far as I know, last year there was 7 remotely exploitable > issues in PHP (which is regrettable but that's the way of life to have > bugs), and all of them are fixed, IIRC, and within acceptable > timeframe (the last can be debatable, but PHP being opesource project > the only way to fix it is to get more participation from people in > submitting patches). I know of no remotely exploitable security issue > that is now in current PHP version. > So I wonder what would you like PHP Group to improve? What would you > mean by facing reality - what in your opinion the reality is and what > would you have PHP group to do to satisfy you on facing reality account? First of all PHP group is doing nothing. Neither do they improve PHP's security nor do they stop well known PHP license abusers (because they are friends). Secondly security patches are done by Ilia and maybe the Zend stuff by Dmitry. All the others are doing nothing in the sense of security. And do I need to remind you about a certain bug in the new super duper Zend Memory manager that results in a far too small buffer being allocated? Do I need to post an exploit that uses this bug to exploit for example the Soap HTTP client from ext/soap? This is a kind of remote exploit against PHP. And god knows how many other places are vulnerable because of the new "improved" Zend Memory Manager. And what about the heap underflow bug in ext/filter... Also not a remote exploit? The fact that you do not know about any remote exploit against PHP is quite irrelevant for reality. Stefan Esser