| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 08 Feb 2009 14:12:43 +0100 From: Stefan Esser <stefan.esser@...tioneins.de> To: ascii <ascii@...amail.com> Cc: Bugtraq <bugtraq@...urityfocus.com>, Full-Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: [Full-disclosure] PHP filesystem attack vectors Hello, ascii schrieb: > PHP filesystem attack vectors > > Name PHP filesystem attack vectors > Systems Affected PHP and PHP+Suhosin This research misses some information. It compares "vanilla PHP" to "patched PHP" but that is not exactly true. PHP + Suhosin replaces the system's realpath() with an own implementation based on FreeBSD (+ some hardening). This means everything presented that works against PHP + Suhosin should work against vanilla PHP when used on FreeBSD, OS X, OpenBSD, ... Additionally the research should be repeated with PHP 5.3-beta, because it now does something very similar to Suhosin. Stefan Esser
Powered by blists - more mailing lists