On Tue, May 02, 2006 at 10:05:28PM -0700, paul dansing wrote: > Is there some reason this issue is being ignored? What, you people > need to see an exploit before you will even LOOK at it and answer > whether it is vuln?
I'm not the maintainer of php itself, but still I have an opinion. I don't like php, from a security point of view. It has an AWFUL track record. Some people will tell you it has seen lots of vulnerabilities because it's in heavy use. Well, I've had a look at the code, it has seen lots of vulnerabilities because it was never designed with security in mind. That said, we provide php because some people may want it. I personally would NOT want to run that on any kind of web server (in fact, I use perl's HTML::Mason as the same kind of framework). I can give you a simple answer though. Yes, php* is vulnerable. Doesn't matter whether you're talking about this vulnerability, or another. There will be another one lurking around the corner. Fixing vulnerabilities in the php code is like sticking a finger in a dike. Great legendary stuff, doesn't really work in reality.
