| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1096542287.6999.24.camel@sv800.color24.it> Date: Thu, 30 Sep 2004 13:04:48 +0200 From: Stefano Di Paola <stefano.dipaola@...ec.it> To: Florian Weimer <fw@...eb.enyo.de> Cc: Bugtraq <bugtraq@...urityfocus.com>, vulnwatch <vulnwatch@...nwatch.org> Subject: Re: Php RFC1867 Upload Vuln. POC Released Maybe Secunia tought it was the same issue but they're wrong the issue is different it applies to 4.3.8 and 5.0.1. I didn't released a poc so they found that (wrong and old) one...instead of contacting me... "GPC input processing fixes." i think it reassumes both vulns i found. Yes it's almost critical. But just in some cases. You can find diff files on http://cvs.php.net/php-src/main/php_variables.c 1.45.2.7 http://cvs.php.net/php-src/main/rfc1867.c 1.122.2.26 on php 4.3.x branch or 5.0.x branch Regards, Stefano On Thu, 2004-09-30 at 12:43, Florian Weimer wrote: > * Stefano Di Paola: > > > Php 4.3.9 and 5.0.2 have been released with the patch for this > > vulnerability, so I've decided to release the POC for this vuln. > > Secunia reports that this is PHP issue #28456, which has been fixed in > PHP 4.3.7. Can you confirm whether these defects are distinct or the > same? The other issue in the 4.3.9 announcement is called "GPC input > processing fixes", and it seems to be somewhat critical, too. > > Is anybody aware of minimal patches relative to PHP 4.3.8 (or earlier > versions)? >
Powered by blists - more mailing lists