PHP new vulnarabilities
pauls at utdallas.edu
Sun Oct 15 12:08:10 PDT 2006
--On October 15, 2006 2:50:34 PM -0400 Bill Moran
<wmoran at collaborativefusion.com> wrote:
> Have you looked at the vulnerability? There are only certian coding
> instances that would actually open this up to any attack vector. Since
> the bug is in unserialize, it's pretty easy audit a program to ensure
> that it isn't vulnerable.
> "absolute fool" seems a little extreme.
Perhaps. How many people are talented enough to understand the
vulnerability and how it's exploited and know *for certain* that they
won't have a problem?
It would be different if we were talking about an app that isn't exploited
much. Php is exploited every day, even when it's fully patched, due to
the complexity of the attacks and the lack of understanding of most people
who code in php.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
More information about the freebsd-questions