Hello Stefan, basically you want to explain everybody how to use those millions of unpatched servers.
marcus Sunday, August 1, 2004, 2:33:04 PM, you wrote: > Hi, > I know that this is maybe a little bit off-topic, but I assume that most > people on this list are used to compile PHP just for testing purposes. > I am currently planning to write a paper about the memory_limit security > bug that was announced last month. Actually the paper will explain in > detail what the bug is and how it can be exploited to execute arbitrary > code. > The paper itself will be written because a few people requested it, a > lot of media reported it as a buffer overflow (which is completely > wrong) and just because I need some training in writing papers for > university. > So if anyone here would like to support me writing this paper just grab > a copy of http://security.e-matters.de/mlxdebug.tgz > This package has some special patches in it (for PHP 4.3.2-4.3.7) that > write debug output for every emalloc/efree/erealloc and > php_register_variable_ex call into a file within /tmp. > The package includes a description how the test works. It basicly > consists of compiling PHP on your normal platform: f.e. OpenBSD Apache2 > CGI. You should just add --enable-memory-limit to your standard > configure line and turn register_globals on. The rest is all explained > in the package. > Stefan Esser > PS: those debug files would help me a lot to proof that a few things are > easier than one thinks. -- Best regards, Marcus mailto:[EMAIL PROTECTED] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
