Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Security & Exploit

Posted by Hemos on from the fixing-it dept.

Anonymous Coward writes "It looks like after a few weeks of rumors, an exploit for PHP/Apache under Linux surfaced. Luckily, PHP.net has the patch ready to go. While the export only claims to work for PHP up to 4.0.5, php.net also releases a patch for 4.1.1, the (until yesterday), latest version of php. This patch makes a small edition to the part of the source code (rfc1867.c) that is used by the exploit."

6 of 28 comments (clear)

  1. If you only speak PHP... by Paul+Burney · · Score: 2, Funny

    <?php

    if ($system != 'patched') {

    $file_uploads = 'Danger, Will Robinson!';

    }

    ?>

    --
    <?php while ($self != "asleep") { $sheep_count++; } ?>
  2. all versions previous to 4.1.2 are at risk by chrismcc@netus.com · · Score: 3, Informative

    All versions previous to 4.1.2 (today's release) are at risk

    http://www.php.net/
    http://security.e-matters.d e/advisories/012002.htm l

    The bug report is here:
    http://bugs.php.net/bug.php?id=15736

    it recomends turning off file uploads as a work around

    --
    Christopher McCrory "The guy that keeps the servers running" chrismcc@gmail.com http://www.pricegrabber.com
  3. How to patch major distro versions by Why+Should+I · · Score: 2, Interesting

    Now I like to instal PHP from source personally, but most people i know that use PHP, do so on a default redhat 7.2 rpm install. i.e. they are running ver 4.0.6.

    So my question is: Is there a way to patch the major distro versions (i.e. rh, suse, mandrake ...) from there default versions to the secure version?

    Because if there isn't then there are still gonna be alot of webservers out there running insecure versions of php. And, if there isn't a way, then why isn't there?

    1. Re:How to patch major distro versions by LinuxGeek8 · · Score: 2

      You should be able to update the packages with up2date on redhat.
      And also, you should check redhats errata page regularly for security updates.

      --
      Well, don't worry about that. We can get you back before you leave. (Dr. Who)
    2. Re:How to patch major distro versions by Electrum · · Score: 2

      Is there a way to patch the major distro versions (i.e. rh, suse, mandrake ...) from there default versions to the secure version?

      # apt-get update
      # apt-get upgrade

      :-)

  4. The important facts by Anonymous Coward · · Score: 2, Informative

    This is a very high impact vulnerability, mod_php is the worlds most popular Apache module, maybe the most popular web script language. (no flamewars intended, it IS popular among a lot of people whether you like it or not).

    However, one line in the config should according to php.net disable the vulnerability :

    file_uploads = off

    (When tested phpinfo(); gives "no value" at my site)

    One file needs to be patched for all PHP versions, get the patch here :

    php.net/downloads.php

    Patch like this:

    1. Enter ../src/php-4.0.x/main dir
    2. patch < pathtodiffile/rfc1867.c.diff-4.0.6
    3. build either the DSO module or build apache with static php

    The "full" advisory is here :

    security.e-matters.de

    now, PATCH!