Re: PHP Update .. details

To: Steve Kemp <skx@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: PHP Update .. details
From: Hans Kratz <krypsilon@gmail.com>
Date: Thu, 23 Dec 2004 11:57:34 +0100
Message-id: <[🔎] f999ea6804122302572650332b@mail.gmail.com>
Reply-to: Hans Kratz <krypsilon@gmail.com>
In-reply-to: <[🔎] 20041223093653.GA1382@steve.org.uk>
References: <[🔎] 20041223093653.GA1382@steve.org.uk>

Hi!

>   It's looking like there won't be an update to PHP for Woody, because
>  the majority of the PHP issues aren't relevent.
> 
>   Initially a few CVE numbers were assigned and then later withdrawn
>  when it became clear that the issues could only be exploited by a
>  user who wrote a malicious PHP script - not a remote issue, or too
>  serious.  (Given that if you had the ability to write evil PHP code
>  you cold just run 'system('rm ..');'.

Unfortunately those vulnerabilities can be exploited by a user to
execute arbitrary code with the priviledges of the user running the
web server (www-data on woody). This defeats the purpose of the PHP
"safe mode" (http://www.php.net/manual/en/features.safe-mode.php) on
which many ISPs rely.

If the Debian project does not want to fix those issues IMHO Debian
should make an official statement that using the PHP safe mode with
Debian Woody does not offer the security one would expect.


Regards,


Hans
--
Hans Kratz

Reply to:

References:
- PHP Update .. details
  - From: Steve Kemp <skx@debian.org>

Prev by Date: PHP Update .. details
Next by Date: Re: php vulnerabilities
Previous by thread: PHP Update .. details
Next by thread: Re: PHP Update .. details
Index(es):
- Date
- Thread