GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Phil21 · 07-22-2002, 10:18 AM

Didn't see another thread on this. Strange.

Anyways, guessing most hosting companies have allready upgraded (rght? comon now! ;) ) but those with dedicated servers that are unmanaged by your host will need to upgrade ASAP.

Essentially this is a remote code execution exploit, i.e. the bad one. This is has much more immediate potential than the Apache vulnerability about a month ago. UPGRADE IMMEDIATELY.

Effected versions are 4.2.x up until 4.2.2 (the bugfix release). Older versions may or may not be effected, there seems to be some disagreement about this. I would upgrade to be safe.

An interim fix would be to disable both .htaccess (to keep from overrriding apache config) and disabling HTTP POST requests if you have nothing that uses POST's.

As I speak, php.net is down. You can grab PHP 4.2.2 from our network or check out php.he.net (a mirror) for more info.

Good luck, figured you'd all want a heads up before all the kiddies get their hands on a publicly released exploit.

And, in closing... PHP is the fucking devil. I have no idea why the hell anyone would use this shit, but hey, we support it and such is life.

-Phil

07-22-2002, 10:18 AM
Phil21 Confirmed User Join Date: May 2001 Location: ICQ: 25285313 Posts: 993	PHP Exploit Didn't see another thread on this. Strange. Anyways, guessing most hosting companies have allready upgraded (rght? comon now! ;) ) but those with dedicated servers that are unmanaged by your host will need to upgrade ASAP. Essentially this is a remote code execution exploit, i.e. the bad one. This is has much more immediate potential than the Apache vulnerability about a month ago. UPGRADE IMMEDIATELY. Effected versions are 4.2.x up until 4.2.2 (the bugfix release). Older versions may or may not be effected, there seems to be some disagreement about this. I would upgrade to be safe. An interim fix would be to disable both .htaccess (to keep from overrriding apache config) and disabling HTTP POST requests if you have nothing that uses POST's. As I speak, php.net is down. You can grab PHP 4.2.2 from our network or check out php.he.net (a mirror) for more info. Good luck, figured you'd all want a heads up before all the kiddies get their hands on a publicly released exploit. And, in closing... PHP is the fucking devil. I have no idea why the hell anyone would use this shit, but hey, we support it and such is life. -Phil Last edited by Phil21; 07-22-2002 at 10:19 AM..