FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Heartbleed bug?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Heartbleed bug? [message #185554 is a reply to message #185543] Thu, 10 April 2014 23:01 Go to previous messageGo to previous message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma:
Senior Member
On Thu, 10 Apr 2014 14:03:25 +0200, Christoph Michael Becker wrote:

> Jerry Stuckle wrote:

>> You can ASS-U-ME all you want. I go by the facts. And if I were
>> concerned about PHP being involved, I would ask the OpenSSL people.

> I would rather ask the PHP people, because they know best in which way
> PHP uses OpenSSL. Fortunately, that is not necessary anymore:

As far as I can tell, PHP does not "use" OpenSSL directly itself, unless
a person writing php scripts calls functions that do use OpenSSL, and it
only seems to be when those functions are used that the vulnerability can
be exploited.

For example, the following php script as a web page has no exposure to
the OpenSSL vulnerability:

<?php
echo "<!doctype html><html lang='en'><head><title>Test</title></
head><body><h1>Hello World</h1></body></html>"
?>

However, if you have perhaps written a server process in php that opens
sockets for encrypted communication, or perhaps if you have been opening
https sessions as a client using curl, then you may have exposed the
vulnerability in such a way that it could be exploited (and I'm not
actually sure about the curl thing).

Hence, for any specific case, it is only possible to answer the question
"is this PHP installation exposed to heartbleed" by knowing whether the
PHP code is exposing the exploitable vulnerability. To know that, you
need to know enough about the SSL side of the vulnerability to know if
your PHP calls are calling the affected SSL features, and enough about
the individual PHP installation you are discussing to know what SSL
features it calls.

So basically no-one here can judge the vulnerability of the php code on
any individual server to heartbleed unless they have a pretty intimate
knowledge of the php code running on that server and know enough about
the php / ssl interfaces and heartbleed to identify any php calls that
may expose the vulnerability.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: cURL and response code 302
Next Topic: PHP Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 05:56:35 GMT 2024

Total time taken to generate the page: 0.05981 seconds