Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29645
Return-Path: <seanius@seanius.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24335 invoked by uid 1010); 21 May 2007 21:46:37 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 24320 invoked from network); 21 May 2007 21:46:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 May 2007 21:46:37 -0000
Authentication-Results: pb1.pair.com header.from=seanius@seanius.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=seanius@seanius.net; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain seanius.net from 66.93.22.232 cause and error)
X-PHP-List-Original-Sender: seanius@seanius.net
X-Host-Fingerprint: 66.93.22.232 cobija.connexer.com Linux 2.5 (sometimes 2.4) (4)
Received: from [66.93.22.232] ([66.93.22.232:56106] helo=cobija.connexer.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C5/05-19484-B3312564 for <internals@lists.php.net>; Mon, 21 May 2007 17:46:36 -0400
Received: from [192.168.0.128] (h-234-204.A189.cust.bahnhof.se [81.170.234.204])
	by cobija.connexer.com (Postfix) with ESMTP id 6FF7917C2A5;
	Mon, 21 May 2007 17:46:30 -0400 (EDT)
To: ceo@l-i-e.com
Cc: Stefan Esser <sesser@hardened-php.net>, Alexey Zakhlestin <indeyets@gmail.com>, PHP internals <internals@lists.php.net>
In-Reply-To: <39310.216.230.84.67.1179780581.squirrel@www.l-i-e.com>
References: <465022BE.1020905@hardened-php.net>
	 <7d5a202f0705201415s71982fd2jb61b8bffbb7ba6de@mail.gmail.com>
	 <46513546.5000303@zend.com>
	 <7d5a202f0705202303s2ff4d0cdg1157c1e245c3c2e4@mail.gmail.com>
	 <46513745.7030701@zend.com> <000001c79b71$543e0970$fcba1c50$@com>
	 <46513E93.5000902@hardened-php.net> <465140BE.8050502@zend.com>
	 <4651454B.4080000@hardened-php.net> <465149FE.4070100@zend.com>
	 <cd5680a20705210047q73c71ebbu2372604a8d2c4226@mail.gmail.com>
	 <46515417.3030904@hardened-php.net>
	 <39310.216.230.84.67.1179780581.squirrel@www.l-i-e.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-nx9ZgrnB+QzScJ9NXN/y"
Date: Mon, 21 May 2007 23:46:27 +0200
Message-ID: <1179783987.6027.30.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.6.1 
Subject: Re: [PHP-DEV] Dismantling the lies...
From: seanius@seanius.net (sean finney)

--=-nx9ZgrnB+QzScJ9NXN/y
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

hi guys,

sorry to butt in here, but thought i'd have something to add/ask:

On Mon, 2007-05-21 at 15:49 -0500, Richard Lynch wrote:
>=20
> If I'm understanding this correctly, (and that's definitely debatable)
> there seems to be an awfully large "hole" there of being able to poke
> random bits of RAM.
<snip>
> So, really, if a Bad Guy has access to poke random values into your
> RAM, is PHP even relevant to this hack?...

i've heard (though not confirmed myself) that if php is running as a
loadable apache module it is possible to use such a local attack
vector to read from the apache parent's memory, and extract tasty
morcels such as unencrypted SSL keys.   obviously this would have an
impact on the severity of otherwise mundane local exploits.

is that FUD, or... ?



	sean

--=-nx9ZgrnB+QzScJ9NXN/y
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBGUhMzynjLPm522B0RAhHMAJ9JIY7C17iL9qKKWBCkncWcoeJXwgCbBS+Q
/5gmBWPpSc0qGNuMvK5Ckvw=
=5mBl
-----END PGP SIGNATURE-----

--=-nx9ZgrnB+QzScJ9NXN/y--