1 |
On Mon, 05 Mar 2007, Wendall Cada wrote: |
2 |
|
3 |
> There is an XSS vulnerability in PHP that affects some stable webapps. |
4 |
> Details can be found here: |
5 |
> http://www.php-security.org/MOPB/MOPB-08-2007.html |
6 |
> |
7 |
|
8 |
|
9 |
Hi, |
10 |
|
11 |
there are a lot of more serious bugs affecting PHP and PHP apps with |
12 |
that MOPB. |
13 |
|
14 |
See |
15 |
https://bugs.gentoo.org/buglist.cgi?bug_status=__open__&product=Gentoo+Security&content=php |
16 |
|
17 |
|
18 |
|
19 |
> I know this affects phpWebSite since there is a phpinfo file in setup. |
20 |
|
21 |
The XSS is not permanent, and as said earlier, this is a very weak |
22 |
issue. I would nearly say it's a non-issue since that is the expected |
23 |
theorical behaviour of phpinfo(). |
24 |
|
25 |
Also, don't forget restrict the access to phpinfo() to a trusted network |
26 |
only. |
27 |
|
28 |
|
29 |
> This will be removed upstream. All other apps need checked as well. I'm |
30 |
> running PHP Version 5.1.6-pl6-gentoo on my laptop right now and the XSS |
31 |
> attack works quite well. Not sure who maintains anything with regard to |
32 |
> webapps nowadays. I've come up with no response to several inquiries. |
33 |
|
34 |
The devs who are currently maintaining PHP are very active due to that |
35 |
month of PHP bugs so they have probably not received your inquiries, |
36 |
otherwise i'm pretty sure they would have pointed you to bug 169372. |
37 |
|
38 |
> Figured everyone on the list would like to secure their servers in the |
39 |
> meanwhile. |
40 |
|
41 |
Those who are concerned with security should follow our GLSAs. Those who |
42 |
are really worried about real-time security should follow our bugzilla, |
43 |
different information sources (full-disc, secunia...), or the upstream |
44 |
advisories. |
45 |
|
46 |
|
47 |
Generally, if you are warned about a security weakness on a stable |
48 |
gentoo package, please go to bugs.gentoo.org, perform a quick search, |
49 |
and if the search returns no result, please open a bug in the "Gentoo |
50 |
Security" category. (but most of the time, there will already be an |
51 |
opened bug). In that case the bug already existed. |
52 |
|
53 |
|
54 |
Cheers, |
55 |
-- |
56 |
Raphael Marichez aka Falco |