[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[atlarge-discuss] PHP security holes and more to: Re: [atlarge-discuss] RE : [atlarge-discuss] RE : [atlarge-discuss] Forum Usage at dot-org

To: Daniel CHIRITA <daniel@chirita.org>
Subject: [atlarge-discuss] PHP security holes and more to: Re: [atlarge-discuss] RE : [atlarge-discuss] RE : [atlarge-discuss] Forum Usage at dot-org
From: Jeff Williams <jwkckid1@ix.netcom.com>
Date: Thu, 17 Jul 2003 06:02:50 -0700
Cc: atlarge-discuss@lists.fitug.de
Delivered-to: mailing list atlarge-discuss@lists.fitug.de
List-help: <mailto:atlarge-discuss-help@lists.fitug.de>
List-post: <mailto:atlarge-discuss@lists.fitug.de>
List-subscribe: <mailto:atlarge-discuss-subscribe@lists.fitug.de>
List-unsubscribe: <mailto:atlarge-discuss-unsubscribe@lists.fitug.de>
Mailing-list: contact atlarge-discuss-help@lists.fitug.de; run by ezmlm
Organization: INEGroup Spokesman
References: <001201c34c44$3a7fffa0$0100000a@pimboli>

Daniel and all fellow members,

  Your full of it too!  PHA is garbage from a security
stand  point and is well known for it's various
security holes.  See:http://www.sans.org/newsletters/sac/vol3_7.php
and {03.07.003} Cross - Vulnerable PHA applications 02/18 ,
 http://archives.neohapsis.com/archives/linux/suse/2003-q1/0500.html
and http://www.sans.org/newsletters/sac/sac2_11.php
reference
        {02.11.006} Cross - phpBB2 CGI phpbb_root_path command execution
also {02.11.007} Cross - PHPNuke/PostNuke account hijacking *This is
a big concern or should be*
also, {02.11.009} Cross - PHP Net Toolpack CGI command execution
additional reference:
http://archives.neohapsis.com/archives/bugtraq/2002-03/0131.html
and  http://archives.neohapsis.com/archives/bugtraq/2002-03/0176.html
Fix is at:  http://phpbb.sourceforge.net/phpBB2/viewtopic.php?t=9105
also another security hole for  PHP see:
 http://archives.neohapsis.com/archives/bugtraq/2002-03/0199.html

and again also:
 http://www.sans.org/newsletters/sac/sac2_10.php
Reference:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0021.html


  So, these are just a few of the many PHP security holes Daniel...
Read 'em and weep...
s

Daniel CHIRITA wrote:

> Daniel (hey it's my name too! :) )
>
> Please dont spend your time trying to explain something
> to Jeff Williams, he dont know what PHP is!
>
> Babel fish works great, but it's only a automatic translation,
> and i think we cannot trust it for the website: static pages
> (with low changes content) had to be translated 'by hand' (my
> english is very poor, but i see on the list a lot of people with
> solid skills) and for forums we can add a link to babelfish system.
>
> Daniel CHIRITA
> Webteam
>
> >-----Message d'origine-----
> >De : Daniel R. Tobias [mailto:dan@tobias.name]
> >Envoyé : jeudi 17 juillet 2003 06:04
> >À : Jeff Williams
> >Cc : atlarge-discuss@lists.fitug.de
> >Objet : Re: [atlarge-discuss] RE : [atlarge-discuss] Forum
> >Usage at dot-org
> >
> >
> >On 16 Jul 2003 at 22:25, Jeff Williams wrote:
> >
> >> As you can clearly see the tranalation if very inaccurate as
> >I stated.
> >> Hence as Jeff H, tried to point out using a browser approach is far
> >> better and much easier.  And php data that the user sees is
> >difficult
> >> to translate where HTTP is much more exacting...
> >
> >Ummm.... the user doesn't see either "php" or "HTTP" data... the user
> >sees HTML data, and it's irrelevant that it may have been pre-
> >processed server-side using PHP, and transmitted using the HTTP
> >protocol.
> >
> >And, if it has a URL, that can be fed into Babelfish or any other
> >translater without regard to whether it happens to end in ".php" or
> >not, and that program cares not at all about this.
> >
> >
> >--
> >== Dan ==
> >Dan's Mail Format Site: http://mailformat.dan.info/
> >Dan's Web Tips: http://webtips.dan.info/
> >Dan's Domain Site: http://domains.dan.info/
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
> >For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
> For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 131k members/stakeholders strong!)
"Be precise in the use of words and expect precision from others" -
    Pierre Abelard
===============================================================
CEO/DIR. Internet Network Eng. SR. Eng. Network data security
Information Network Eng. Group. INEG. INC.
E-Mail jwkckid1@ix.netcom.com
Contact Number: 214-244-4827 or 214-244-3801



---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de

Follow-Ups:
- [atlarge-discuss] RE : [atlarge-discuss] PHP security holes and more to: Re: [atlarge-discuss] RE : [atlarge-discuss] RE : [atlarge-discuss] Forum Usage at dot-org
  - From: "Daniel CHIRITA" <daniel@chirita.org>

References:
- [atlarge-discuss] RE : [atlarge-discuss] RE : [atlarge-discuss] Forum Usage at dot-org
  - From: "Daniel CHIRITA" <daniel@chirita.org>

Prev by Date: [atlarge-discuss] RE : [atlarge-discuss] RE : [atlarge-discuss] Forum Usage at dot-org
Next by Date: [atlarge-discuss] RE : [atlarge-discuss] PHP security holes and more to: Re: [atlarge-discuss] RE : [atlarge-discuss] RE : [atlarge-discuss] Forum Usage at dot-org
Previous by thread: [atlarge-discuss] RE : [atlarge-discuss] RE : [atlarge-discuss] Forum Usage at dot-org
Next by thread: [atlarge-discuss] RE : [atlarge-discuss] PHP security holes and more to: Re: [atlarge-discuss] RE : [atlarge-discuss] RE : [atlarge-discuss] Forum Usage at dot-org
Index(es):
- Date
- Thread