Andi Gutmans wrote:
At 07:13 AM 3/14/2006, Pierre wrote:
Intranet apps does not need to be secure? That's new to me.
Depends what it is. A lot have to be secure, but some don't. For
example, some apps are on local networks (for example a group Wiki),
which are inaccessible outside a specific group.
Unless of course people click on links in this internal Wiki which
through the Referer leak details of what they are running which in turn
leads to a nice email attack or a Referer back-attack with a link
containing an XSS attack against this internal app. Bingo, we have just
exploited an internal inaccessible application. Internal apps need a
lot of scrutiny, perhaps even more so than public stuff since internal
apps are likely to contain more sensitive information and people are
tricked into thinking they shouldn't worry about them because attackers
don't have direct access.
Not that I disagree with providing easy upgrade instructions. It gives
us a chance to explain how to do things better. But we have to be very
careful about never giving people the idea that security can be lax for
an Intranet app.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
