[nycphp-talk] Re: Upcoming Month of PHP Bugs (michael)
csnyder
chsnyder at gmail.com
Wed Feb 21 15:15:04 EST 2007
On 2/21/07, Nate Abele <nate at cakephp.org> wrote:
> Despite the claims, I'm not so sure that most of these security
> issues couldn't be mitigated with a proper server configuration and a
> well-designed application. While I'm sure there are vulnerabilities
> that exist in a *stock* installation of PHP (especially in older
> versions where things like register_globals and allow_url_fopen were
> enabled by default... wait... is allow_url_fopen *still* enabled by
> default??), there's a lot you can do to in terms of configuration to
> minimize your application's target profile.
>
> Also, I seem to remember Chris Shiflett having some clarifying
> comments on Stefan and his Sohusin project, so perhaps he could weigh
> in here (hint, hint ;-).
Hi Nate, top posting as usual I see.
So for the sake of argument, let's say there there's a buffer overflow
vulnerability in getimagesize(), that could be exploited by a
carefully crafted jpeg. It doesn't matter at that point how careful
you were when you wrote your app. As soon as an attacker (er, script
kiddie) uploads a poison jpeg, she owns your server.
These are the kinds of bugs Esser is talking about, not the XSS or SQL
injection attacks that are typically the fault of an application
developer.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list