* Steve Langasek: > However, in reading over the description of the vulnerabilities, I don't > really see any grounds for regarding these as grave securty bugs. The most > severe of these problems, 202005.79, only has a significant impact when > register_globals is set in the PHP environment -- a setting which has been > strongly deprecated for quite some time, and which is disabled by default in > sarge. There is a *lot* of PHP application code that is vulnerable to XSS > or remote injection attacks when run with register_globals on,
There are plenty installations in the field which run with register_globals=on. If I read the report correctly, some common workarounds to port code to register_globals=off also result in vulnerabilities. While the compatibility code should probably be considered vulnerable, it's desirable security-wise to add some additional protection. However, after taking other factors into account, it might still be a poor trade-off, of course. > or which does stupid things with manually registering request > variables as global variables; I'm not convinced that this warrants > a grave bug against PHP... I think it's boils down to whether Debian wants to offer security support for register_globals=on configurations. So far, I assumed the answer is "yes". I don't mind changing it to a "no" for practical reasons, but this has to be documented somewhere (like the lack of "safe mode" security support, ahem). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
