PHP new vulnarabilities

Paul Schmehl pauls at utdallas.edu
Sun Oct 15 12:08:10 PDT 2006


--On October 15, 2006 2:50:34 PM -0400 Bill Moran 
<wmoran at collaborativefusion.com> wrote:
>
> Have you looked at the vulnerability?  There are only certian coding
> instances that would actually open this up to any attack vector.  Since
> the bug is in unserialize, it's pretty easy audit a program to ensure
> that it isn't vulnerable.
>
> "absolute fool" seems a little extreme.

Perhaps.  How many people are talented enough to understand the 
vulnerability and how it's exploited and know *for certain* that they 
won't have a problem?

It would be different if we were talking about an app that isn't exploited 
much.  Php is exploited every day, even when it's fully patched, due to 
the complexity of the attacks and the lack of understanding of most people 
who code in php.

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


More information about the freebsd-questions mailing list