NYCPHP Meetup

[Hans Zaunere]

csnyder wrote on Wednesday, February 21, 2007 3:15 PM:
> On 2/21/07, Nate Abele <nate at cakephp.org> wrote:
> > Despite the claims, I'm not so sure that most of these security
> > issues couldn't be mitigated with a proper server configuration and
> > a well-designed application.  While I'm sure there are
> > vulnerabilities that exist in a *stock* installation of PHP
> > (especially in older versions where things like register_globals
> > and allow_url_fopen were enabled by default... wait... is
> > allow_url_fopen *still* enabled by default??), there's a lot you
> > can do to in terms of configuration to minimize your application's
> > target profile. 
> > 
> > Also, I seem to remember Chris Shiflett having some clarifying
> > comments on Stefan and his Sohusin project, so perhaps he could
> > weigh in here (hint, hint ;-).
> 
> Hi Nate, top posting as usual I see.
> 
> So for the sake of argument, let's say there there's a buffer overflow
> vulnerability in getimagesize(), that could be exploited by a
> carefully crafted jpeg. It doesn't matter at that point how careful
> you were when you wrote your app. As soon as an attacker (er, script
> kiddie) uploads a poison jpeg, she owns your server.

So... is this a bug in PHP or GD?  :)

> These are the kinds of bugs Esser is talking about, not the XSS or SQL
> injection attacks that are typically the fault of an application
> developer.

But yes, I agree - it's talking about these types of buffer overflows and
classic C security problems that I think made us all pay attention to this
announcement.

The classic PHP quagmire, of course, is that there's a fine line between a
problem in PHP/ZE core, and a problem in a linked library.  There are likely
problems on both sides of the fence.

If Esser comes out with legitimate critical bugs on the PHP/ZE side, then
it's going to have a long term consequence.  Otherwise, it'll be disregarded
as hype.

---
Hans Zaunere / President / New York PHP
    www.nyphp.org  /  www.nyphp.com