|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data
From: Tõnu Samuel (tonu
jes.ee)
Date: Tue Mar 28 2006 - 06:55:24 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi everybody!
I want to tell that pretty nasty bug was discovered in PHP (all tested
versions were vulnerable). I do not want to disclose much details as it may
hurt many websites. I expect PHP team to make patch first.
There is simple way to protect yourself against this bug if you put some code
in beginning of every source code looking for weird ASCII bytes before any
other code. Make some kind of "white-list" for characters you allow and deny
everything else.
More details to come when we have PHP patches distributed with major
distributions. I might disclose details before to some IDS vendor or other
trusted party.
Tõnu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]