[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PHP Update .. details


>   It's looking like there won't be an update to PHP for Woody, because
>  the majority of the PHP issues aren't relevent.
>   Initially a few CVE numbers were assigned and then later withdrawn
>  when it became clear that the issues could only be exploited by a
>  user who wrote a malicious PHP script - not a remote issue, or too
>  serious.  (Given that if you had the ability to write evil PHP code
>  you cold just run 'system('rm ..');'.

Unfortunately those vulnerabilities can be exploited by a user to
execute arbitrary code with the priviledges of the user running the
web server (www-data on woody). This defeats the purpose of the PHP
"safe mode" (http://www.php.net/manual/en/features.safe-mode.php) on
which many ISPs rely.

If the Debian project does not want to fix those issues IMHO Debian
should make an official statement that using the PHP safe mode with
Debian Woody does not offer the security one would expect.


Hans Kratz

Reply to: