Re: PHP Security Hole
by sstahl(at)shaw.ca
|
Date: |
Fri, 01 Mar 2002 10:55:54 -0600 |
To: |
Hank Marquardt <hmarq(at)yerpso.net> |
Cc: |
Norman Bunn <norman.bunn(at)craftedsolutions.com>, hwg-languages(at)hwg.org |
|
todo: View
Thread,
Original
|
|
Remeber though that this vulnerability only efects installations with
file uploading on. Short-term fix for most would be to disable this
feature.
Scott.
----- Original Message -----
From: Hank Marquardt <hmarq(at)yerpso.net>
Date: Friday, March 1, 2002 9:16 am
Subject: Re: PHP Security Hole
> The silver lining --
>
> I was hoping in a 'nobody gets hurt' kind of way that someone
> would find
> a remote exploit for PHP -- the reason?
>
> I have probably worked on 50 different servers (approx) for
> clients ...
> and of those 50 probably 5 are still stuck in PHP3land 2.5 years
after
> 4s introduction ... and very few of the remaining ones where anywhere
> near a current version of 4.x -- so a forced security upgrade is a
> goodthing; and fortunately PHP has reached such critical mass
> usage wise
> that the ISPs can't say "well because of this we no longer offer PHP"
> because it would actually harm their business.
>
> So while it was no fun for me to do a dozen or so upgrades in an
> evening-- I think the overall gain may be worth the short term pain.
>
> "when given a lemon, make lemonade"
>
> Hank
>
> On Fri, Mar 01, 2002 at 08:42:13AM -0500, Norman Bunn wrote:
> > Security hole uncovered in PHP
> >
> > A buffer-flow vulnerability in the open-source PHP scripting
> language could
> > allow an attacker to run malicious code on a victim's site.
> >
> http://computerworld.com/nlt/1%2C3590%2CNAV47_STO68693_NLTPM%
2C00.html>
> > Thought you'd like to know,
> >
> > Norman
> >
>
> --
> Hank Marquardt <hank(at)yerpso.net>
> http://web.yerpso.net
> GPG Id: 2BB5E60C
> Fingerprint: D807 61BC FD18 370A AC1D 3EDF 2BF9 8A2D 2BB5 E60C
> *** Web Development: PHP, MySQL/PgSQL - Network Admin: Debian/FreeBSD
> *** PHP Instructor - Intnl. Webmasters Assn./HTML Writers Guild
> *** Beginning PHP && PHP II -- Starting March 25, 2002
> *** See http://www.hwg.org/services/classes
>
HWG: hwg-languages mailing list archives,
maintained by Webmasters @ IWA