PHP Exploit

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Phil21
    Confirmed User
    • May 2001
    • 993

    #1

    PHP Exploit

    Didn't see another thread on this. Strange.

    Anyways, guessing most hosting companies have allready upgraded (rght? comon now! ;) ) but those with dedicated servers that are unmanaged by your host will need to upgrade ASAP.

    Essentially this is a remote code execution exploit, i.e. the bad one. This is has much more immediate potential than the Apache vulnerability about a month ago. UPGRADE IMMEDIATELY.

    Effected versions are 4.2.x up until 4.2.2 (the bugfix release). Older versions may or may not be effected, there seems to be some disagreement about this. I would upgrade to be safe.

    An interim fix would be to disable both .htaccess (to keep from overrriding apache config) and disabling HTTP POST requests if you have nothing that uses POST's.

    As I speak, php.net is down. You can grab PHP 4.2.2 from our network or check out php.he.net (a mirror) for more info.

    Good luck, figured you'd all want a heads up before all the kiddies get their hands on a publicly released exploit.

    And, in closing... PHP is the fucking devil. I have no idea why the hell anyone would use this shit, but hey, we support it and such is life.

    -Phil
    Last edited by Phil21; 07-22-2002, 09:19 AM.
    Quality affordable hosting.
  • foe
    Confirmed User
    • May 2002
    • 5246

    #2
    php.net is up

    http://www.php.net/release_4_2_2.php


    more detailed info
    Last edited by foe; 07-22-2002, 09:25 AM.

    Comment

    • Phil21
      Confirmed User
      • May 2001
      • 993

      #3
      Ah, yep. Was quite a challenge early this morning trying to remember the mirror names when I was looking to get PHP.

      Anyways, go to php.net directly for more info straight from the horses mouth.

      peace,

      -Phil
      Quality affordable hosting.

      Comment

      • foe
        Confirmed User
        • May 2002
        • 5246

        #4
        Btw I dont know why you have php in the past I have known php to be much more secure than some other server side based languages.

        Comment

        • AdultWire
          Confirmed User
          • Feb 2002
          • 962

          #5
          There are many bug fixes for this bug, including patches for 4.0.6
          SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

          Comment

          • Babaganoosh
            ♥♥♥ Likes Hugs ♥♥♥
            • Nov 2001
            • 15841

            #6
            Just got done upgrading my server at rackshack. Ran into some trouble but I got it going. If anyone is having trouble upgrading, hit me up. I have some free time this afternoon and would be glad to help you out.
            I like pie.

            Comment

            Working...