That's obviously not what I meant... but I've been in situations
where there were LANs which were inaccessible by outside sources...
Never mind.. Not worth the discussion :)
Andi
At 07:35 AM 3/14/2006, Rasmus Lerdorf wrote:
Andi Gutmans wrote:
At 07:13 AM 3/14/2006, Pierre wrote:
Intranet apps does not need to be secure? That's new to me.
Depends what it is. A lot have to be secure, but some don't. For
example, some apps are on local networks (for example a group
Wiki), which are inaccessible outside a specific group.
Unless of course people click on links in this internal Wiki which
through the Referer leak details of what they are running which in
turn leads to a nice email attack or a Referer back-attack with a
link containing an XSS attack against this internal app. Bingo, we
have just exploited an internal inaccessible application. Internal
apps need a lot of scrutiny, perhaps even more so than public stuff
since internal apps are likely to contain more sensitive information
and people are tricked into thinking they shouldn't worry about them
because attackers don't have direct access.
Not that I disagree with providing easy upgrade instructions. It
gives us a chance to explain how to do things better. But we have
to be very careful about never giving people the idea that security
can be lax for an Intranet app.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
