[php-maint] Re: php4 security issues, the complete works (vol 2)
jmm at inutil.org
Mon Sep 11 17:22:29 UTC 2006
sean finney wrote:
> yes, i agree. i'll make sure to have some notes in the next uploads
> of php4/php5 about this. joey/moritz: i imagine that i should get you
> guys to sign off on whatever that blurb says... how about:
> Because of the large number of security-related problems with
> certain PHP configurations, the Debian security team does not
> provide security support for configurations known to be
> inherently insecure. Most specifically, the security team will
> not provide support for flaws in:
> - vulnerabilities involving register_globals being activated,
> unless specifically the vulnerability activates this setting
> when it was configured as deactivated.
> - vulnerabilities involving any kind of safe_mode or
> open_basedir violation, as these are security models flawed
> by design and no longer have upstream support either.
> - any "works as expected" vulnerabilities, such as "user can
> cause php to crash by writing a malcious php script", unless
> such vulnerabilities involve some kind of higher-level DoS or
> privilege escalation that would not otherwise be available.
> - something else? something more specific about input
> sanitizing problems?
That looks nice, but it should also be pointed out that it's not a
question of a lack of resources, but of providing a sane solution;
PHP is not designed to bypass every possible flaw an incompetent web
developer could make. I guess you as a native speaker could formulate
that a little bit more positive :-)
I guess we should also point out that most of the issues above are adressed
the way PHP 6 will handle them (no more open_basedir, register_globals,
safe mode, etc.).
More information about the pkg-php-maint