lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45F2E99E.6080400@hardened-php.net>
Date: Sat, 10 Mar 2007 18:23:42 +0100
From: Stefan Esser <sesser@...dened-php.net>
To: Stefano Di Paola <stefano.dipaola@...ec.it>
Cc: FD <full-disclosure@...ts.grok.org.uk>,
	phpsec <security@....net>, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] PHP import_request_variables() arbitrary	variable
 overwrite

Hello Stefano,

first of all. I am not angry at you, although my mail might have sounded
so, but at the people that deserve it.

The fault of the PHP Security Response Team is not yours. They are the
ones that give credit to the wrong persons.
Luckily after 2.5 years they fixed that issue (or atleast tried so).

> Anyway it seems that your month of php bugs is getting php developers
> more sensitive to all issues...
> Maybe there was some misunderstanding between you and dev team and the
> core team was less interested in this kind of flaws at that time.
>   
This is the goal of the MOPB. And right now it might look like the MOPB
was already successfull. Unfortunately I have worked together with the
PHP Security Response Team for several years and I know how they react.
They might be active for a little while (especially when the media looks
at them) but when that period of time is over they will continue with
their old habits.


Stefan Esser

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ