FUDforum: comp.lang.php » Heartbleed bug?

Home » Imported messages » comp.lang.php » Heartbleed bug?

Show: Today's Messages :: Polls :: Message Navigator

Re: Heartbleed bug? [message #185554 is a reply to message #185543]

Thu, 10 April 2014 23:01

Denis McMahon
Messages: 634
Registered: September 2010

Karma:

Senior Member

On Thu, 10 Apr 2014 14:03:25 +0200, Christoph Michael Becker wrote:

> Jerry Stuckle wrote:

>> You can ASS-U-ME all you want. I go by the facts. And if I were
>> concerned about PHP being involved, I would ask the OpenSSL people.

> I would rather ask the PHP people, because they know best in which way
> PHP uses OpenSSL. Fortunately, that is not necessary anymore:

As far as I can tell, PHP does not "use" OpenSSL directly itself, unless
a person writing php scripts calls functions that do use OpenSSL, and it
only seems to be when those functions are used that the vulnerability can
be exploited.

For example, the following php script as a web page has no exposure to
the OpenSSL vulnerability:

<?php
echo "<!doctype html><html lang='en'><head><title>Test</title></
head><body><h1>Hello World</h1></body></html>"
?>

However, if you have perhaps written a server process in php that opens
sockets for encrypted communication, or perhaps if you have been opening
https sessions as a client using curl, then you may have exposed the
vulnerability in such a way that it could be exploited (and I'm not
actually sure about the curl thing).

Hence, for any specific case, it is only possible to answer the question
"is this PHP installation exposed to heartbleed" by knowing whether the
PHP code is exposing the exploitable vulnerability. To know that, you
need to know enough about the SSL side of the vulnerability to know if
your PHP calls are calling the affected SSL features, and enough about
the individual PHP installation you are discussing to know what SSL
features it calls.

So basically no-one here can judge the vulnerability of the php code on
any individual server to heartbleed unless they have a pretty intimate
knowledge of the php code running on that server and know enough about
the php / ssl interfaces and heartbleed to identify any php calls that
may expose the vulnerability.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com

Report message to a moderator

[Message index]

		Heartbleed bug? By: Kevin Burton on Wed, 09 April 2014 12:24
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 13:17
		Re: Heartbleed bug? By: Robert Heller on Wed, 09 April 2014 13:56
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 15:21
		Re: Heartbleed bug? By: Christoph Michael Bec on Wed, 09 April 2014 15:43
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 17:37
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:51
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 11:52
		Re: Heartbleed bug? By: Christoph Michael Bec on Thu, 10 April 2014 12:03
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 16:36
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 23:01
		Re: Heartbleed bug? By: The Natural Philosoph on Thu, 10 April 2014 23:47
		Re: Heartbleed bug? By: Eli the Bearded on Fri, 11 April 2014 00:38
		Re: Heartbleed bug? By: Jerry Stuckle on Fri, 11 April 2014 01:58
		Re: Heartbleed bug? By: Denis McMahon on Fri, 11 April 2014 02:59
		Re: Heartbleed bug? By: The Natural Philosoph on Fri, 11 April 2014 03:36
		Re: Heartbleed bug? By: Jerry Stuckle on Fri, 11 April 2014 16:08
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 20:54
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 22:45
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 06:33
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:47
		Re: Heartbleed bug? By: Robert Heller on Wed, 09 April 2014 15:56
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 17:38
		Re: Heartbleed bug? By: M. Strobel on Wed, 09 April 2014 22:11
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 11:53
		Re: Heartbleed bug? By: The Natural Philosoph on Wed, 09 April 2014 20:02
		Re: Heartbleed bug? By: Adam Harvey on Wed, 09 April 2014 23:43
		Re: Heartbleed bug? By: Eli the Bearded on Thu, 10 April 2014 00:01
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:43
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:57
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:50
		Re: Heartbleed bug? By: The Natural Philosoph on Thu, 10 April 2014 18:37
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 20:56
		Re: Heartbleed bug? By: M. Strobel on Thu, 10 April 2014 21:32
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 23:14
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 06:23
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:42
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 11:00

Previous Topic:	cURL and response code 302
Next Topic:	PHP Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Nov 23 17:50:02 GMT 2024

Total time taken to generate the page: 0.05194 seconds