[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200809291714.m8THEDPN029100@faron.mitre.org>
Date: Mon, 29 Sep 2008 13:14:13 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: php create_function commond injection vulnerability
There are two main takeaways from this advisory:
1) PHP application programmers can and will misuse this function
(CVE-2008-4096, CVE-2007-5423), but most PHP code auditors probably
don't check for it yet. So it's good for awareness.
2) Any language that has an equivalent capability for creating
anonymous functions will probably have application programmers that
abuse it.
- Steve
Powered by blists - more mailing lists