Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Christopher Kunz's Blog:
PHPKIT vulnerabilities revisited
Feb 06, 2006 @ 06:40:05

On his blog, Christopher Kunz has a new note for all of those out there specifically running PHPKIT - some security issues that came up and weren't addressed as quickly as need be.

A while back, I reported several vulnerabilities in PHPKIT to the vendors. Although not very well-known in the rest of the world, there's an abundance of installations of this product in german-speaking countries, since it is very easy to install, provides a german user (and administration) interface and has about the same feature set as the infamous PHP-Nuke.

After I reported the vulnerability, no response whatsoever was received. I phoned the vendor, and they told me something about an ominous "community release" and that I should report the issues in their forum. I gave the advisory (including PoC for each hole) to the forum administrator and told them to get a fix out of the door. They responded in a very weird fashion, but allegedly fixed the bugs and released an inofficial patch in the forum.

He goes on in the post, stating why a distribution menthod like is isn't the wisest course of action. Patches are slow in distribution and applicataion versus a full version release. Especially ones distributed via less than an "official" means...

tagged: phpkit vulnerabilities look again patch release phpkit vulnerabilities look again patch release

Link:

Christopher Kunz's Blog:
PHPKIT vulnerabilities revisited
Feb 06, 2006 @ 06:40:05

On his blog, Christopher Kunz has a new note for all of those out there specifically running PHPKIT - some security issues that came up and weren't addressed as quickly as need be.

A while back, I reported several vulnerabilities in PHPKIT to the vendors. Although not very well-known in the rest of the world, there's an abundance of installations of this product in german-speaking countries, since it is very easy to install, provides a german user (and administration) interface and has about the same feature set as the infamous PHP-Nuke.

After I reported the vulnerability, no response whatsoever was received. I phoned the vendor, and they told me something about an ominous "community release" and that I should report the issues in their forum. I gave the advisory (including PoC for each hole) to the forum administrator and told them to get a fix out of the door. They responded in a very weird fashion, but allegedly fixed the bugs and released an inofficial patch in the forum.

He goes on in the post, stating why a distribution menthod like is isn't the wisest course of action. Patches are slow in distribution and applicataion versus a full version release. Especially ones distributed via less than an "official" means...

tagged: phpkit vulnerabilities look again patch release phpkit vulnerabilities look again patch release

Link: