Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27380
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain prohost.org from 64.233.166.182 cause and error)
In-Reply-To: <61504d990701111123t2ea8627cs829cd37f996ee3af@mail.gmail.com>
References: <20070111144144.GV15998@mint.phcomp.co.uk> <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net> <45A67E74.1080904@zend.com> <45A6891E.8070302@hardened-php.net> <61504d990701111123t2ea8627cs829cd37f996ee3af@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <832D0C38-27FF-4ACA-9942-77F0F5E88C0C@prohost.org>
Cc: internals@lists.php.net
Content-Transfer-Encoding: 7bit
Date: Thu, 11 Jan 2007 14:29:32 -0500
To: Jordan Moore <jordanryanmoore@gmail.com>
Subject: Re: [PHP-DEV] Comments on PHP security
From: ilia@prohost.org (Ilia Alshanetsky)

Rather then commenting on what other people should and should not do,  
do something productive like fix bugs or help to extend the PHP test  
suit.

On 11-Jan-07, at 2:23 PM, Jordan Moore wrote:

> This is pathetic. I thought most of you were adults, but I really
> can't tell sometimes.
>
> Why can't this be discussed without everyone getting upset and
> snapping at each other? The biggest problem with PHP right now is how
> thick-headed and cocky some of the posters to this list are. Grow up,
> and then maybe PHP will have a chance to grow up.
>
> It's only taken a couple months to realize how much time is wasted on
> political crap on this list instead of bug-fixing.
>
> On 1/11/07, Stefan Esser <sesser@hardened-php.net> wrote:
>>
>> > I wonder what do you mean by that - that PHP group should publish
>> > press release "PHP is not secure, please do not use it anymore" or
>> > what? I see PHP group is working quite well eliminating the  
>> security
>> > issues. As far as I know, last year there was 7 remotely  
>> exploitable
>> > issues in PHP (which is regrettable but that's the way of life  
>> to have
>> > bugs), and all of them are fixed, IIRC, and within acceptable
>> > timeframe (the last can be debatable, but PHP being opesource  
>> project
>> > the only way to fix it is to get more participation from people in
>> > submitting patches). I know of no remotely exploitable security  
>> issue
>> > that is now in current PHP version.
>> > So I wonder what would you like PHP Group to improve? What would  
>> you
>> > mean by facing reality - what in your opinion the reality is and  
>> what
>> > would you have PHP group to do to satisfy you on facing reality  
>> account?
>> First of all PHP group is doing nothing. Neither do they improve  
>> PHP's
>> security nor do they stop well known PHP license abusers (because  
>> they
>> are friends).
>> Secondly security patches are done by Ilia and maybe the Zend  
>> stuff by
>> Dmitry. All the others are doing nothing in the sense of security.
>>
>> And do I need to remind you about a certain bug in the new super  
>> duper
>> Zend Memory manager that results in a far too small buffer being  
>> allocated?
>>
>> Do I need to post an exploit that uses this bug to exploit for  
>> example
>> the Soap HTTP client from ext/soap? This is a kind of remote exploit
>> against PHP. And god knows how many other places are vulnerable  
>> because
>> of the new "improved" Zend Memory Manager.
>>
>> And what about the heap underflow bug in ext/filter... Also not a  
>> remote
>> exploit?
>>
>> The fact that you do not know about any remote exploit against PHP is
>> quite irrelevant for reality.
>>
>> Stefan Esser
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> -- 
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Ilia Alshanetsky