Re: PHP4 vulnerabilities

To: Thomas Hochstein <ml@ancalgon.inka.de>
Cc: debian-security@lists.debian.org
Subject: Re: PHP4 vulnerabilities
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 10 Sep 2006 20:42:10 +0200
Message-id: <[🔎] 877j0b1s3h.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] lds.20060910184104.67@xerxes.akallabeth.de> (Thomas Hochstein's message of "Sun, 10 Sep 2006 18:41:00 +0200")
References: <60ZUC-622-15@gated-at.bofh.it> <[🔎] lds.20060910184104.67@xerxes.akallabeth.de>

* Thomas Hochstein:

> Allard Hoeve <allard@byte.nl> wrote on 13 Apr 2006:
>
>> Please take note of bugs:
>> 
>> - #361853: [CVE-2006-0996] phpinfo() Cross Site Scripting
>> - #361855: [CVE-2006-1494] tempnam() open_basedir bypass
>> - #361856: [CVE-2006-1608] copy() Safe Mode Bypass
>
> I wonder why there was no DSA at all for php4 (or php5) in 2006,
> though upstream released PHP 4.4.3 and 4.4.4 containing security
> fixes...

Do you know of any vulnerability which can be exploited on its own,
without relying on buggy PHP scripts on the server (or the ability to
upload your own PHP scripts)?  Such an issue should be fixed ASAP.

Note that PHP in sarge is still at the 4.3 branch, which was
discontinued upstream quite some time ago.  Backporting the fixes is
not exactly trivial.  It's sad that so many useful web applications
are written in PHP. 8-(

Reply to:

References:
- Re: PHP4 vulnerabilities
  - From: Thomas Hochstein <ml@ancalgon.inka.de>

Prev by Date: Re: PHP4 vulnerabilities
Next by Date: Fabien Trauchessec est absent(e).
Previous by thread: Re: PHP4 vulnerabilities
Next by thread: Re: PHP4 vulnerabilities
Index(es):
- Date
- Thread