Zeev, I don't know why you believe that I reported crash bugs. Yes of course the local exploits I sent to [EMAIL PROTECTED] were only crashing PHP, because they were 1-2-3 line Proof Of Concept Codes. Except for one DOS only bug all the bugs can be exploited to execute arbitrary code or access memory areas (read or write). And you will see it in the Months of PHP bugs, when every released exploit will be functional. > After you left and started sending local exploits (with a few being > remotely exploitable, but most of them not), I looked at it as some > sort of a wakeup call. Not that they existed - it's pretty clear that a Last time I checked a single remote exploit is enough to takeover the PHP process.
The local vulnerabilities I sent are those that can be found from a very quick audit and should be obvious to any security aware C programmer (that knows a bit about the PHP source code). It is a pity that PHP obviously lacks these kind of programmers. And it is a pretty good proof that Coverity does not find anything of value. You want some more remote exploits. No problem. We have to wait a few weeks or months until enough new lines of code have been commited and there will be the next overflows. But considering how I was attacked again today for telling Rasmus to tell the truth, I strongly believe that a second Month of PHP Bugs should be sheduled for the future that comes without any warning and shows your real performance. However it was quite amazing that Andi shared his hallucinations about my quit reasons with the world. Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
