[php-maint] Bug#336645: PHP 4.4.1 fixes security bugs

Florian Weimer fw at deneb.enyo.de
Tue Nov 1 07:54:08 UTC 2005

* Steve Langasek:

> However, in reading over the description of the vulnerabilities, I don't
> really see any grounds for regarding these as grave securty bugs.  The most
> severe of these problems, 202005.79, only has a significant impact when
> register_globals is set in the PHP environment -- a setting which has been
> strongly deprecated for quite some time, and which is disabled by default in
> sarge.  There is a *lot* of PHP application code that is vulnerable to XSS
> or remote injection attacks when run with register_globals on,

There are plenty installations in the field which run with
register_globals=on.  If I read the report correctly, some common
workarounds to port code to register_globals=off also result in
vulnerabilities.  While the compatibility code should probably be
considered vulnerable, it's desirable security-wise to add some
additional protection.  However, after taking other factors into
account, it might still be a poor trade-off, of course.

> or which does stupid things with manually registering request
> variables as global variables; I'm not convinced that this warrants
> a grave bug against PHP...

I think it's boils down to whether Debian wants to offer security
support for register_globals=on configurations.  So far, I assumed the
answer is "yes".  I don't mind changing it to a "no" for practical
reasons, but this has to be documented somewhere (like the lack of
"safe mode" security support, ahem).

More information about the pkg-php-maint mailing list