Hi, I've been using PHP for a long time and have recently found a
couple of major bugs that would allow pretty much any user on a shared
web hosting server to read other user's files. The conditions for this
exploit are quite common. Also, from what I can tell, this exploit
would not be very easy to fix and in fact may not be fixable until a
peruser MPM for Apache is completely ready (Like perchild or Metux).
It could be that you already know about this problem but have also not
reported it. I couldn't find any other information about it from doing
some searches.
This leads me to wonder, is it a good idea to make this vulnerability
known? On the one hand, releasing the information would allow admins
and developers to try to fix it, but on the other hand, if its not
immediately fixable it would allow for a large window of opportunity for
attacks. Thus, I came to this list for some advice on what I should do.
Maybe I could at least email one of your privately so that you can see
what it is.
Thanks,
Mark
--
Mark S. Krenz
IT Director
Suso Technology Services, Inc.
http://suso.org/
Such issues should be directed to security@php.net
Mark Krenz wrote:
Hi, I've been using PHP for a long time and have recently found a
couple of major bugs that would allow pretty much any user on a shared
web hosting server to read other user's files. The conditions for this
exploit are quite common. Also, from what I can tell, this exploit
would not be very easy to fix and in fact may not be fixable until a
peruser MPM for Apache is completely ready (Like perchild or Metux).
It could be that you already know about this problem but have also not
reported it. I couldn't find any other information about it from doing
some searches.This leads me to wonder, is it a good idea to make this vulnerability
known? On the one hand, releasing the information would allow admins
and developers to try to fix it, but on the other hand, if its not
immediately fixable it would allow for a large window of opportunity for
attacks. Thus, I came to this list for some advice on what I should do.
Maybe I could at least email one of your privately so that you can see
what it is.Thanks,
Mark
Is that a publically accessable mailing list or does it just go to a
few people?
On Mon, Apr 04, 2005 at 04:35:59AM GMT, Rasmus Lerdorf [rasmus@lerdorf.com] said the following:
Such issues should be directed to security@php.net
Mark Krenz wrote:
Hi, I've been using PHP for a long time and have recently found a
couple of major bugs that would allow pretty much any user on a shared
web hosting server to read other user's files. The conditions for this
exploit are quite common. Also, from what I can tell, this exploit
would not be very easy to fix and in fact may not be fixable until a
peruser MPM for Apache is completely ready (Like perchild or Metux).
It could be that you already know about this problem but have also not
reported it. I couldn't find any other information about it from doing
some searches.This leads me to wonder, is it a good idea to make this vulnerability
known? On the one hand, releasing the information would allow admins
and developers to try to fix it, but on the other hand, if its not
immediately fixable it would allow for a large window of opportunity for
attacks. Thus, I came to this list for some advice on what I should do.
Maybe I could at least email one of your privately so that you can see
what it is.Thanks,
Mark
--
Mark S. Krenz
IT Director
Suso Technology Services, Inc.
http://suso.org/
Is that a publically accessable mailing list or does it just go to a
few people?
Only a few people.
Derick
--
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org
On Mon, 4 Apr 2005 09:13:04 +0200 (CEST), in php.internals
derick@php.net (Derick Rethans) wrote:
Is that a publically accessable mailing list or does it just go to a
few people?Only a few people.
.. but don't expect any kind of feedback :-)
(yeah, I know - I'm still yackin' about the
print_r(glob("{/home/currentuser/,/etc/}*",GLOB_BRACE)) issue combined
with the glob file name disclosure issue)
--
- Peter Brodersen
Please send details to security@php.net for further analysis.
--Wez.
Hi, I've been using PHP for a long time and have recently found a
couple of major bugs that would allow pretty much any user on a shared
web hosting server to read other user's files. The conditions for this
exploit are quite common. Also, from what I can tell, this exploit
would not be very easy to fix and in fact may not be fixable until a
peruser MPM for Apache is completely ready (Like perchild or Metux).
It could be that you already know about this problem but have also not
reported it. I couldn't find any other information about it from doing
some searches.This leads me to wonder, is it a good idea to make this vulnerability
known? On the one hand, releasing the information would allow admins
and developers to try to fix it, but on the other hand, if its not
immediately fixable it would allow for a large window of opportunity for
attacks. Thus, I came to this list for some advice on what I should do.
Maybe I could at least email one of your privately so that you can see
what it is.Thanks,
Mark
--
Mark S. Krenz
IT Director
Suso Technology Services, Inc.
http://suso.org/