So what's the story with these seemingly unrelated, but very serious, bugs being found at the same time? Was this the result of a security audit or were three bugs of this magnitude really discovered spontaneously?
For a more serious answer though, they just got acquired. Definitely a possibility that they were holding back on announcing bugs out of fear of harming the acquisition.
If php_info is really as dangerous as this article makes it out to be these ‘vulnerabilities’ would be rather easy to scan for.
I think it’s time for a debate though what information is considered secret and what isn’t, and have php_info not reveal the information that is secret and the applications not store their secrets in a location that is not secret.
4 comments
[ 3.0 ms ] story [ 23.1 ms ] threadI think it’s time for a debate though what information is considered secret and what isn’t, and have php_info not reveal the information that is secret and the applications not store their secrets in a location that is not secret.