-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Nice try, Stefan. I reported this vulnerability more than three years ago (against 4.2.x) on October 12, 2002 via the PHP bug database. I was told to implement an .ini setting and the bug was marked "Bogus". For information, please see PHP Bug #19881: http://bugs.php.net/bug.php?id=19881 That's a hell of a turnaround for you, Esser. It's the first security bug I've reported in your software that's actually been fixed. And it only took you *THREE YEARS*. We're finally making some progress here. Next time, you could try giving me credit for my research as well. Thanks. Your work here represents an inexcusable degree of sloppiness and a complete conflict of interest. Instead of fixing the bug when I as a third-party researcher report it, you blow it off. Then, you conveniently rediscover it three years later, omitting all mention of the fact that *your own* project team refused to fix it the first time around. Your project has just surpassed both Microsoft and Cisco as *the worst* security response in the business. Open source or commercial. At least I didn't have to worry about either of them stealing credit for my work, even if the legal goons at Cisco would prefer to sue me into oblivion. I will never be working with you again, and I hope nobody else is foolish enough to, either. Regards, Matt Murphy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDZlwZfp4vUrVETTgRA+LFAJwP9CQMyQsCsmfvGloD23Tf5iasFgCfSvRf /qgehSPw/AoZhBJxb++a5Yg= =PmAM -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/