Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: PHP import_request_variables() arbitrary variable overwrite
From: Stefan Esser <sesser () hardened-php net>
Date: Sat, 10 Mar 2007 18:23:42 +0100

Hello Stefano,

first of all. I am not angry at you, although my mail might have sounded
so, but at the people that deserve it.

The fault of the PHP Security Response Team is not yours. They are the
ones that give credit to the wrong persons.
Luckily after 2.5 years they fixed that issue (or atleast tried so).

Anyway it seems that your month of php bugs is getting php developers
more sensitive to all issues...
Maybe there was some misunderstanding between you and dev team and the
core team was less interested in this kind of flaws at that time.
This is the goal of the MOPB. And right now it might look like the MOPB
was already successfull. Unfortunately I have worked together with the
PHP Security Response Team for several years and I know how they react.
They might be active for a little while (especially when the media looks
at them) but when that period of time is over they will continue with
their old habits.

Stefan Esser

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]