Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 25 Feb 2009 08:57:03 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request - php (PHP BZ#27421)


----- "Steven M. Christey" <coley@...us.mitre.org> wrote:

> On Fri, 30 Jan 2009, Jan Lieskovsky wrote:
> 
> >   this PHP issue looks to desire a new CVE id.
> >
> > References:
> > http://bugs.php.net/bug.php?id=27421
> > https://bugzilla.redhat.com/show_bug.cgi?id=479272
> >
> 
> What attack scenario exists for this issue?  One virtual-host user can
> effectively DoS other virtual hosts running on the same Apache
> instance?
> 

Sorry for the delay on responding to this.

Yes, if one web user sets mbstring.func_overload = 7 in a .htaccess, it will
effectively disable any other multibyte enabled sites on the same webserver.

-- 
    JB

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ