Re: PHP Security Hole

Remeber though that this vulnerability only efects installations with 
file uploading on.  Short-term fix for most would be to disable this 
feature.

Scott.

----- Original Message -----
From: Hank Marquardt <hmarq(at)yerpso.net>
Date: Friday, March 1, 2002 9:16 am
Subject: Re: PHP Security Hole

> The silver lining --
> 
> I was hoping in a 'nobody gets hurt' kind of way that someone 
> would find
> a remote exploit for PHP -- the reason?
> 
> I have probably worked on 50 different servers (approx) for 
> clients ...
> and of those 50 probably 5 are still stuck in PHP3land 2.5 years 
after
> 4s introduction ... and very few of the remaining ones where anywhere
> near a current version of 4.x -- so a forced security upgrade is a 
> goodthing; and fortunately PHP has reached such critical mass 
> usage wise
> that the ISPs can't say "well because of this we no longer offer PHP"
> because it would actually harm their business.
> 
> So while it was no fun for me to do a dozen or so upgrades in an 
> evening-- I think the overall gain may be worth the short term pain.
> 
> "when given a lemon, make lemonade"
> 
> Hank
> 
> On Fri, Mar 01, 2002 at 08:42:13AM -0500, Norman Bunn wrote:
> > Security hole uncovered in PHP
> > 
> > A buffer-flow vulnerability in the open-source PHP scripting 
> language could
> > allow an attacker to run malicious code on a victim's site.
> > 
> http://computerworld.com/nlt/1%2C3590%2CNAV47_STO68693_NLTPM%
2C00.html> 
> > Thought you'd like to know,
> > 
> > Norman
> > 
> 
> -- 
> Hank Marquardt <hank(at)yerpso.net>
> http://web.yerpso.net
> GPG Id: 2BB5E60C
> Fingerprint: D807 61BC FD18 370A AC1D  3EDF 2BF9 8A2D 2BB5 E60C
> *** Web Development: PHP, MySQL/PgSQL - Network Admin: Debian/FreeBSD
> *** PHP Instructor - Intnl. Webmasters Assn./HTML Writers Guild 
> *** Beginning PHP && PHP II -- Starting March 25, 2002 
> *** See http://www.hwg.org/services/classes
> 

HWG: hwg-languages mailing list archives, maintained by Webmasters @ IWA