[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <45F2E99E.6080400@hardened-php.net>
Date: Sat, 10 Mar 2007 18:23:42 +0100
From: Stefan Esser <sesser@...dened-php.net>
To: Stefano Di Paola <stefano.dipaola@...ec.it>
Cc: FD <full-disclosure@...ts.grok.org.uk>,
phpsec <security@....net>, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] PHP import_request_variables() arbitrary variable
overwrite
Hello Stefano,
first of all. I am not angry at you, although my mail might have sounded
so, but at the people that deserve it.
The fault of the PHP Security Response Team is not yours. They are the
ones that give credit to the wrong persons.
Luckily after 2.5 years they fixed that issue (or atleast tried so).
> Anyway it seems that your month of php bugs is getting php developers
> more sensitive to all issues...
> Maybe there was some misunderstanding between you and dev team and the
> core team was less interested in this kind of flaws at that time.
>
This is the goal of the MOPB. And right now it might look like the MOPB
was already successfull. Unfortunately I have worked together with the
PHP Security Response Team for several years and I know how they react.
They might be active for a little while (especially when the media looks
at them) but when that period of time is over they will continue with
their old habits.
Stefan Esser
Powered by blists - more mailing lists