Date: Wed, 25 Feb 2009 08:57:03 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request - php (PHP BZ#27421) ----- "Steven M. Christey" <coley@...us.mitre.org> wrote: > On Fri, 30 Jan 2009, Jan Lieskovsky wrote: > > > this PHP issue looks to desire a new CVE id. > > > > References: > > http://bugs.php.net/bug.php?id=27421 > > https://bugzilla.redhat.com/show_bug.cgi?id=479272 > > > > What attack scenario exists for this issue? One virtual-host user can > effectively DoS other virtual hosts running on the same Apache > instance? > Sorry for the delay on responding to this. Yes, if one web user sets mbstring.func_overload = 7 in a .htaccess, it will effectively disable any other multibyte enabled sites on the same webserver. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ