Is that a publically accessable mailing list or does it just go to a few people?
On Mon, Apr 04, 2005 at 04:35:59AM GMT, Rasmus Lerdorf [EMAIL PROTECTED] said the following: > Such issues should be directed to [EMAIL PROTECTED] > > Mark Krenz wrote: > > Hi, I've been using PHP for a long time and have recently found a > >couple of major bugs that would allow pretty much any user on a shared > >web hosting server to read other user's files. The conditions for this > >exploit are quite common. Also, from what I can tell, this exploit > >would not be very easy to fix and in fact may not be fixable until a > >peruser MPM for Apache is completely ready (Like perchild or Metux). > >It could be that you already know about this problem but have also not > >reported it. I couldn't find any other information about it from doing > >some searches. > > > > This leads me to wonder, is it a good idea to make this vulnerability > >known? On the one hand, releasing the information would allow admins > >and developers to try to fix it, but on the other hand, if its not > >immediately fixable it would allow for a large window of opportunity for > >attacks. Thus, I came to this list for some advice on what I should do. > >Maybe I could at least email one of your privately so that you can see > >what it is. > > > >Thanks, > > > >Mark > > > -- Mark S. Krenz IT Director Suso Technology Services, Inc. http://suso.org/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
