Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP Vulnerability Announced

Posted by krow on from the who-would-have-thunk-it dept.

corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

5 of 47 comments (clear)

  1. Re:www.php.net/downloads.php by Henry+V+.009 · · Score: 3, Informative

    I went to upgrade php and got that as well. It's the same for the mirrors. This doesn't bode well.

  2. For anyone concerned about upgrading by Anonymous Coward · · Score: 1, Informative

    They say the only difference between 4.2.1 and 4.2.2 is this fix, so it won't (or shouldn't anyway) break any of your scripts.

  3. Where to get the file by Anonymous Coward · · Score: 2, Informative

    Download directly from here. Change the server name to a mirror closer to you if you want.

    http://uk.php.net/distributions/php-4.2.2.tar.bz 2
    or
    http://uk.php.net/distributions/php-4.2.2.t ar.gz

  4. Re:Apache 2.0.39 incompatibility by chregu · · Score: 2, Informative

    It's a security bug fix release. Only this bug was fixed to get it out as soon as possible. PHP 4.2.3 will have more bugs fixed (+ a proper QA) and should be released in the next weeks.

    chregu

  5. Re:*sigh* by dzym · · Score: 3, Informative
    But then again, the good folks at Apache didn't think the chunked encoding vulnerability could be used to execute arbitrary code on 32-bit platforms.

    Gobbles proved them wrong.