The Turkey Curse
fukamis terror chatroom

Interview mit Stefan Esser bei Securityfocus

Boomtime, 37th Chaos, 3173.

[Securityfocus][Securityfocus] hat ein Interview mit dem Titel [PHP Security From The Inside][PHP Security From The Inside] mit [Stefan Esser][esser] veröffentlicht. Neben Begründungen für Stefans [Ausstieg beim PHP Security Response Team][Ausstieg], dem Problem der Art und Weise des Security-Handlings innerhalb des PHP-Projekts oder wie das Release-Management vonstaten geht, erwähnt er einmal mehr den [Month Of the PHP Bugs][Month Of the PHP Bugs], der im März 2007 stattfinden soll:


If you are using mod_ssl this allows for stealing the private key for the SSL cert from Apache’s memory from within a PHP script. (Data that is normally only accessible by root - Oh I think I will demonstrate this in the Month of PHP bugs).


We will disclose different types of bugs, mainly buffer overflows or double free(/destruction) vulnerabilities, some only local, but some remotely trigger-able (for example, because they are in functions usually exposed to user input). Additionally there are some trivial bypass vulnerabilities in PHP’s own protection features. Only holes within the code shipped with the default distribution of PHP will be disclosed. That means we will not disclose holes in extensions that only exist in PECL, while we are sure that those contain vulnerabilities, too. Most of the holes were previously disclosed to the vendor, but not all.

Zum ethischen Aspekt des geplanten MOPB lässt sich Stefan ebenfalls aus:

As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical.

Ich bin sehr gespannt was er im März genau zeigen wird. Allerspätestens jetzt ist wohl auch der Punkt erreicht, an dem ein näherer Blick auf [Suhosin][suhosin] lohnt (zumindest wenn man auf die Benutzung von PHP nicht verzichten will oder kann).

[Securityfocus]: http://www.securityfocus.com/
[esser]: http://blog.php-security.org/
[PHP Security From The Inside]: http://www.securityfocus.com/columnists/432/1
[Ausstieg]: http://blog.php-security.org/archives/61-Retired-from-securityphp.net.html
[Month Of the PHP Bug]: http://blog.php-security.org/archives/46-Month-of-PHP-bugs.html
[suhosin]: http://www.hardened-php.net/suhosin.127.html

---

No Comments »

No comments yet.

RSS feed for comments on this post. | TrackBack URI

Leave a comment



Everything is funny as long as it is happening to somebody else.

The Turkey Curse is powered by WordPress, template idea by Priss

Entries (RSS) and Comments (RSS).
Generated in 0.041 seconds.