[php-maint] Bug#336645: PHP 4.4.1 fixes security bugs
Florian Weimer
fw at deneb.enyo.de
Tue Nov 1 07:54:08 UTC 2005
* Steve Langasek:
> However, in reading over the description of the vulnerabilities, I don't
> really see any grounds for regarding these as grave securty bugs. The most
> severe of these problems, 202005.79, only has a significant impact when
> register_globals is set in the PHP environment -- a setting which has been
> strongly deprecated for quite some time, and which is disabled by default in
> sarge. There is a *lot* of PHP application code that is vulnerable to XSS
> or remote injection attacks when run with register_globals on,
There are plenty installations in the field which run with
register_globals=on. If I read the report correctly, some common
workarounds to port code to register_globals=off also result in
vulnerabilities. While the compatibility code should probably be
considered vulnerable, it's desirable security-wise to add some
additional protection. However, after taking other factors into
account, it might still be a poor trade-off, of course.
> or which does stupid things with manually registering request
> variables as global variables; I'm not convinced that this warrants
> a grave bug against PHP...
I think it's boils down to whether Debian wants to offer security
support for register_globals=on configurations. So far, I assumed the
answer is "yes". I don't mind changing it to a "no" for practical
reasons, but this has to be documented somewhere (like the lack of
"safe mode" security support, ahem).
More information about the pkg-php-maint
mailing list