| 1 |
On Mon, 05 Mar 2007, Wendall Cada wrote: |
| 2 |
|
| 3 |
> There is an XSS vulnerability in PHP that affects some stable webapps. |
| 4 |
> Details can be found here: |
| 5 |
> http://www.php-security.org/MOPB/MOPB-08-2007.html |
| 6 |
> |
| 7 |
|
| 8 |
|
| 9 |
Hi, |
| 10 |
|
| 11 |
there are a lot of more serious bugs affecting PHP and PHP apps with |
| 12 |
that MOPB. |
| 13 |
|
| 14 |
See |
| 15 |
https://bugs.gentoo.org/buglist.cgi?bug_status=__open__&product=Gentoo+Security&content=php |
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
> I know this affects phpWebSite since there is a phpinfo file in setup. |
| 20 |
|
| 21 |
The XSS is not permanent, and as said earlier, this is a very weak |
| 22 |
issue. I would nearly say it's a non-issue since that is the expected |
| 23 |
theorical behaviour of phpinfo(). |
| 24 |
|
| 25 |
Also, don't forget restrict the access to phpinfo() to a trusted network |
| 26 |
only. |
| 27 |
|
| 28 |
|
| 29 |
> This will be removed upstream. All other apps need checked as well. I'm |
| 30 |
> running PHP Version 5.1.6-pl6-gentoo on my laptop right now and the XSS |
| 31 |
> attack works quite well. Not sure who maintains anything with regard to |
| 32 |
> webapps nowadays. I've come up with no response to several inquiries. |
| 33 |
|
| 34 |
The devs who are currently maintaining PHP are very active due to that |
| 35 |
month of PHP bugs so they have probably not received your inquiries, |
| 36 |
otherwise i'm pretty sure they would have pointed you to bug 169372. |
| 37 |
|
| 38 |
> Figured everyone on the list would like to secure their servers in the |
| 39 |
> meanwhile. |
| 40 |
|
| 41 |
Those who are concerned with security should follow our GLSAs. Those who |
| 42 |
are really worried about real-time security should follow our bugzilla, |
| 43 |
different information sources (full-disc, secunia...), or the upstream |
| 44 |
advisories. |
| 45 |
|
| 46 |
|
| 47 |
Generally, if you are warned about a security weakness on a stable |
| 48 |
gentoo package, please go to bugs.gentoo.org, perform a quick search, |
| 49 |
and if the search returns no result, please open a bug in the "Gentoo |
| 50 |
Security" category. (but most of the time, there will already be an |
| 51 |
opened bug). In that case the bug already existed. |
| 52 |
|
| 53 |
|
| 54 |
Cheers, |
| 55 |
-- |
| 56 |
Raphael Marichez aka Falco |
Archives