Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:68387
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34258 invoked from network); 5 Aug 2013 18:47:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Aug 2013 18:47:35 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:64828] helo=mail-la0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C4/15-06453-643FFF15 for <internals@lists.php.net>; Mon, 05 Aug 2013 14:47:35 -0400
Received: by mail-la0-f42.google.com with SMTP id mf11so2377769lab.15
        for <internals@lists.php.net>; Mon, 05 Aug 2013 11:47:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=5gP/b+HV1jhGWuzpWkP4MK87a6PmtNGBZll6uurXPHs=;
        b=Q8d/FjERttIti9+MzD9y1+konkdXXGvC2nTxYUrp4rBfahfhqNYM8BouF+ZIVNTFtQ
         Ed0jhmdclz7erb898YlCsdMBhPHmcV+12EWEewTIaIm0HvzmUP+VgOdaLlJyqwD0ikU9
         YgQObUdG59A3p1f3MOUQ4pQlXXRQFJOiZ6kQelYh71I5Uo9TDYJ+JtMsmtGMcxrM0rux
         tR1pl+ZwcigTbRYaq0EUu0PMOEQIyLx5fhCHGIcMqCG6/kKnlHiwSUjU5A2OEXFzLyvq
         bNwdHBbXf9iLVGguu1Ft5UhKGfzvxSXX9KtaWy9lFvfKl0Ob+hQh1HdPGQbAQkT3hQjD
         nqpw==
X-Received: by 10.152.22.42 with SMTP id a10mr9486137laf.30.1375728451227;
 Mon, 05 Aug 2013 11:47:31 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.127.233 with HTTP; Mon, 5 Aug 2013 11:46:51 -0700 (PDT)
In-Reply-To: <CA+p1Tcb8umQgn34bYsZL=UTGGPu3cNaaDT2zbNBDsHRrkQq-rg@mail.gmail.com>
References: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
 <50364644.1060302@lerdorf.com> <CAJRMtAH=-B8+M6+kMrpKQZ=Yg2ASa5iv=JCUbjvHkw0UFmw73w@mail.gmail.com>
 <CAL+t6cHj4p=RLwSRGX789w-CswZQd_XtuL364KRBsc66ROdmJA@mail.gmail.com>
 <CAGa2bXY2+kDx32evFmFqUD3P1L6x=PypnVJTuj_mP2853QWQKw@mail.gmail.com>
 <5039D249.30707@sugarcrm.com> <CAGa2bXZso_S3fOUogqMwiTYJKtK3KZH5Fs8GZApxMnT+DwgpbQ@mail.gmail.com>
 <CAGa2bXauBFja+BJcLxiE5t5rnfna1QDt3iTRdYr04a1ExFz7+A@mail.gmail.com>
 <503A968A.4070206@sugarcrm.com> <CAGa2bXaMYxD3-mbATK0WfEryVEvjHE8m2RnujTauLN8t1S+H6w@mail.gmail.com>
 <CAGa2bXZ3pYiO5Lfn5NS-vuPBk_X6SUsr6Qsswya6mx0S3SjgeQ@mail.gmail.com>
 <CAGa2bXY-+B-_-3N2=VYy7rJB-eXF0nzrGA-eSJmM+O87qDrx-Q@mail.gmail.com>
 <51FEEEAF.1070705@sugarcrm.com> <51FEF5AA.5060409@sugarcrm.com>
 <CAGa2bXY0f+vveuRi5hbtfk2d2jn80zAwg0611nqEHXuzNJXBWA@mail.gmail.com>
 <CA+p1TcaEth-KAQEdm9vufs5urky00DBqg1Lg2yHibErb1vWrrw@mail.gmail.com>
 <CAGa2bXbYgQ1wVUQOq1=0MQQ7g7V+UonLFmMO5vQCJxTDFsLRkA@mail.gmail.com>
 <CA+p1TcaQtT3nm+rqhArfu0AFsNBTr2u_-KXjd6A2E6HVj2r_tQ@mail.gmail.com>
 <CAGa2bXb50teO0UgpsNdwWdCkv=+2MAJAw0VLfPu0T9dDRbU1ZA@mail.gmail.com>
 <CA+p1TcZ=eRmJLcGS430rrA_r6xOFvgj18dqVb5_zJQy0_TiEVw@mail.gmail.com>
 <CAGa2bXY-u8SDqeQpLuZY4yfej3VMWnF11FW+1m4Lnh3r9CUUkw@mail.gmail.com> <CA+p1Tcb8umQgn34bYsZL=UTGGPu3cNaaDT2zbNBDsHRrkQq-rg@mail.gmail.com>
Date: Tue, 6 Aug 2013 03:46:51 +0900
X-Google-Sender-Auth: SSePx8t1qZ3_HltpJwCgZq9qz1o
Message-ID: <CAGa2bXZJFapauPMWP7Rcmh5A5gLyjVGvKyrcXgoT_JJjsG=GBw@mail.gmail.com>
To: Arpad Ray <arraypad@gmail.com>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0158b794a494d604e337bdb3
Subject: Re: [PHP-DEV] Session Id Collisions
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0158b794a494d604e337bdb3
Content-Type: text/plain; charset=UTF-8

Hi Arpad,

On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray <arraypad@gmail.com> wrote:

>  I think there really should be a vote.


This means you don't really understand the true risk of this vulnerability.
It allows permanent session ID fixation. This is CVE assigned vulnerability.
Details are explained in the RFC and I don't want to explain fully in ML
again.
(We might discussed the details in security@php.net, but I think I wrote
enough info)

Please refer to the RFC.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0158b794a494d604e337bdb3--