On Mon, 05 Mar 2007, Wendall Cada wrote: > There is an XSS vulnerability in PHP that affects some stable webapps. > Details can be found here: > http://www.php-security.org/MOPB/MOPB-08-2007.html >
Hi, there are a lot of more serious bugs affecting PHP and PHP apps with that MOPB. See https://bugs.gentoo.org/buglist.cgi?bug_status=__open__&product=Gentoo+Security&content=php > I know this affects phpWebSite since there is a phpinfo file in setup. The XSS is not permanent, and as said earlier, this is a very weak issue. I would nearly say it's a non-issue since that is the expected theorical behaviour of phpinfo(). Also, don't forget restrict the access to phpinfo() to a trusted network only. > This will be removed upstream. All other apps need checked as well. I'm > running PHP Version 5.1.6-pl6-gentoo on my laptop right now and the XSS > attack works quite well. Not sure who maintains anything with regard to > webapps nowadays. I've come up with no response to several inquiries. The devs who are currently maintaining PHP are very active due to that month of PHP bugs so they have probably not received your inquiries, otherwise i'm pretty sure they would have pointed you to bug 169372. > Figured everyone on the list would like to secure their servers in the > meanwhile. Those who are concerned with security should follow our GLSAs. Those who are really worried about real-time security should follow our bugzilla, different information sources (full-disc, secunia...), or the upstream advisories. Generally, if you are warned about a security weakness on a stable gentoo package, please go to bugs.gentoo.org, perform a quick search, and if the search returns no result, please open a bug in the "Gentoo Security" category. (but most of the time, there will already be an opened bug). In that case the bug already existed. Cheers, -- Raphael Marichez aka Falco
pgpUY7RmZEhHn.pgp
Description: PGP signature
