NYCPHP Meetup

NYPHP.org

[nycphp-talk] apocryphal safe mode bug and SANS' alert CAN-2003-0863

Hans Zaunere hans at nyphp.org
Tue Nov 18 22:59:27 EST 2003



Tim Gales wrote:

> Chris Schiflett wrote:
> 
>>So, that line has not changed since Feb 2002. His email is 
>>from Jul 2003. This leads me to believe that his argument is 
>>completely invalid, even at the time that he wrote that email.
>>
> 
> 
> Firstly, thanks very much Chris for taking the time to read
> and respond to my earlier post.
> 
> Your response is pretty compelling evidence that there is and was no bug
> (and your response is much more concise and concrete than the argument I
> had in mind)
> 
> The guy was clearly wrong but still SANS picked it up and published it as
> a 
> possible problem.
> 
> And the ISS page makes it look like there is a gaping security hole in
> PHP.
> 
> Maybe NYPHP should have a section debunking some of the myths which get
> propagated about PHP.

I think these types of inflammatory security alerts, and then them being blindly accepted by ISS and the like, is a real problem.  As we've discussed in regards to prior SecurityFocus alerts, and as Chris I think rightly points out in this case, no one reviews these "alerts" - and frankly it's a little scary what other false positives there are, not only in PHP.

I think it would be of great benefit to PHP's growth to have some followup to security alerts than come out for PHP.    Even something as simple as "yes, it's valid" or "no, we can't find any backing to that claim" would be of great value, and might get these "expert security teams" to wake up.

H




More information about the talk mailing list