'Re: [oss-security] CVE Request - php (PHP BZ#27421)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request - php (PHP BZ#27421)
From:       Josh Bressers <bressers () redhat ! com>
Date:       2009-02-25 13:57:03
Message-ID: 3030251.195591235570223652.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]


----- "Steven M. Christey" <coley@linus.mitre.org> wrote:

> On Fri, 30 Jan 2009, Jan Lieskovsky wrote:
> 
> >   this PHP issue looks to desire a new CVE id.
> >
> > References:
> > http://bugs.php.net/bug.php?id=27421
> > https://bugzilla.redhat.com/show_bug.cgi?id=479272
> >
> 
> What attack scenario exists for this issue?  One virtual-host user can
> effectively DoS other virtual hosts running on the same Apache
> instance?
> 

Sorry for the delay on responding to this.

Yes, if one web user sets mbstring.func_overload = 7 in a .htaccess, it will
effectively disable any other multibyte enabled sites on the same webserver.

-- 
    JB
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic