PHP Vulnerability Announced

corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

another success for Open Source

[tps12]

Notice how quickly a patch appeared for this. If this were a Windblowz product, the script kiddies would be having a field day while Micro$hit denied the hole existed.

This is what free software is all about. I personally am not affected, as I prefer Perl to PHP, and my personal server is still down until I can figure out how to patch that Apache hole from a few weeks ago, but I am swollen with pride for my fellow Linux hackers.