Date: Wed, 29 Dec 2004 10:47:33 -0700 From: Brett Glass <brett@lariat.org> To: "Jerry Bell" <jerry@syslog.org>, "Sean Countryman" <sean@rackoperations.com> Cc: freebsd-security@freebsd.org Subject: Re: Found security expliot in port phpBB 2.0.8 FreeBSD4.10 Message-ID: <6.2.0.14.2.20041229104315.05a8f5f8@localhost> In-Reply-To: <3741.209.134.164.137.1104330634.squirrel@209.134.164.137> References: <34657.24.230.37.14.1104187002.squirrel@24.230.37.14> <2990.24.98.86.57.1104197295.squirrel@24.98.86.57> <41D0C276.7080100@elischer.org> <xzpk6r1tdc2.fsf@dwp.des.no> <41D2BB75.7030607@rackoperations.com> <3741.209.134.164.137.1104330634.squirrel@209.134.164.137>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:30 AM 12/29/2004, Jerry Bell wrote: >At the end of the day, PHP isn't really the problem. The problem is that >people are not taking the time to learn how to code securely given the >tool they are using. In this case, the problem is really not the language but the Web itself. Preserving the state of an ongoing transaction in a secure and tamper-proof manner is a thorny problem regardless of language -- and it has gotten harder because the abuse of cookies to invade privacy has caused so many people to restrict them or turn them off. Absent a default solution that's already been honed for security, programmers will tend to cut corners or will have to learn security basics from scratch -- the hard way. --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.0.14.2.20041229104315.05a8f5f8>