On 7/10/10 3:34 PM, Reindl Harald wrote: > > Am 11.07.2010 00:29, schrieb Rasmus Lerdorf: >> On 7/10/10 3:17 PM, Reindl Harald wrote: >>> What is enough on shared hosting because there are many ways >>> to trigger local exploits. If there is ANY eval-injection >>> in a for the admin unkown script you heave a full remote-exploit >> >> Shared hosts need to take other measures such as chroot'ed environments >> or VMs. There are way too many local exploits, many of which have >> nothing to do with PHP in underlying 3rd-party libraries. > > You mean possible existing security-problems in other software > is a relieable reason to not fix them as soon as possible? > > Strange attitude....
We do fix them, but we don't have the capacity to do point releases for every local exploit fix. We simply don't have enough people to do that. A shared host who is worried about local exploits need to take other measures because most of the software in the stack is in the same boat as PHP on exploits of this nature. Most don't even worry about them actually. It is only because we took some steps towards trying to secure the local environment that it is an "issue" with PHP. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
