PHP Vulnerability Announced

corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

WinXP Shows where MS is Going by poopbot

Windows XP Shows the Direction Microsoft is Going.

"I've heard WinXP removed the cmd/command prompt."

No, Microsoft didn't remove the CMD.EXE or COMMAND.COM prompt from Windows XP. But Windows XP has reduced functionality, in many ways, not just in the command line. The command line is a big embarrassment because of its limited capabilities, but at least in Win 95 it worked. With every version since then it has worked less well. (There are two kinds of command prompt, and, according to Microsoft employees, the differences between them are not documented.)

The command line prompt sometimes begins to display short file names. Microsoft employees say that Microsoft has no fix, although someone not connected with Microsoft did make a work-around.

Cutting and pasting into a command line program often puts successive extra spaces before each line. Microsoft employees say that there is no plan to fix this.

The fast paste mode that is in Windows 98 is gone in Windows XP. Microsoft employees say there is no plan to fix this.

When using the command line interface, Windows XP doesn't always update the time. After several hours, the time reported to command line programs can be several hours in error.

There is a DOS program called START.EXE that can be used to start other programs. But it does operate the same way as in other versions of Windows. It starts a program, but cannot be made to return control to the command line program as previous versions did. There is no technical reason for this; it is just one of the shortcomings that are allowed to exist.

People often say that DOS has gone away. But Microsoft still calls the command line interface DOS, and in Windows XP Microsoft has added new programs for configuring the OS that work only under DOS.

Sometimes when you press a key while using Windows XP, it is seconds until there is any response. Apparently there is something wrong with the CPU scheduler in XP, because there are a lot of complaints about this in the forums and MS people have said that they are working on it. On one particular fresh installation of XP, on an Intel motherboard with either a Matrox G550 or an ATI Radeon video adapter, it requires 18 seconds to display a directory listing of 94 items. This is apparently related to a bug in the video software, not the adapter drivers.

Something is wrong with the Alt-Tab display of running programs under Windows XP. If there are a lot of programs, not all of them are displayed. The order jumps around in a seemingly random way.

Although articles often say negative things about Microsoft, I've never seen an article that fully documents how bad the situation really is. Microsoft's management is so bad that the company has become self-destructive. For example, Windows XP is spyware. Here is a list of ways Windows XP connects to Microsoft's servers:

1. Application Layer Gateway Service (Requires server rights.)
2. Fax Service
3. File Signature Verification
4. Generic Host Process for Win32 Services (Requires server rights.)
5. Microsoft Application Error Reporting
6. Microsoft Baseline Security Analyzer
7. Microsoft Direct Play Voice Test
8. Microsoft Help and Support Center
9. Microsoft Help Center Hosting Server (Wants server rights.)
10. Microsoft Management Console
11. Microsoft Media Player (tells Microsoft the music you like)
12. Microsoft Network Availability Test
13. Microsoft Volume Shadow Copy Service
14. MS DTC Console program
15. Run DLL as an app
16. Services and Controller app
17. Time Service, sets the time on your computer from Microsoft's computer.
18. Microsoft Office keeps a number in each file you create that identifies your computer. Microsoft has never said why.
19. Microsoft mouse software has reduced functionality until you let it connect to Microsoft computers.

These are just the ones I know. There may be others.

So, if you use Windows XP, your computer is dependent on Microsoft computers. That's bad, not only because you lose control over your possession, but because Microsoft produces buggy software and doesn't patch bugs quickly. For example, as of July 7, 2002, there are 18 unpatched security holes in Microsoft Internet Explorer. This is a terrible record for a company that has $40 billion in the bank. Obviously, with that kind of money, Microsoft could fix the bugs if it wanted to fix them. Since the bugs are very public and Microsoft has the money, it seems reasonable to suppose that top management at Microsoft has deliberately decided that the bugs should remain, at least for now.

It seems possible that there is a connection between all the bugs and the U.S. government's friendly treatment of Microsoft's law-breaking. The U.S. government's CIA and FBI and NSA departments spy on the entire world, and unpatched vulnerabilities in Microsoft software help spies.

Windows XP, and all current Windows operating systems, have a file called the registry in which configuration information is written. If this one (large, often fragmented) file becomes corrupted, the only way of recovering may be to re-format the hard drive, re-install the operating system, and then re-install and re-configure all the applications. The registry file is a single, very vulnerable, point of failure. Microsoft apparently designed it this way to provide copy protection. Since most entries in the registry are poorly documented or not documented, the registry effectively prevents control by the user.

Note that Microsoft does not support making functional complete backups under Windows XP. Look at Microsoft's policy about this: Q314828 Microsoft Policy on Disk Duplication of Windows XP Installation. Only those who work with Microsoft software will understand the true meaning of Microsoft's policy. Since almost all programs use the registry operating system file, if you cannot make a functional copy of the operating system you cannot make a functional copy of all your application installations and configurations. There are other software companies that try to fix this, but they don't work well, and Microsoft can, of course, break their implementations, as they have often done with other kinds of competitors.

Because the configuration information for the motherboard and the configuration information for the are mixed together in the registry file, the registry tends to prevent you from moving a hard drive to a computer with a different motherboard. That's another implication of the above Microsoft policy. So, if you have a motherboard failure, and a good complete backup, you may not be able to recover unless you have a spare computer with the same motherboard.

Note that Windows XP Professional can support only ten simultaneous incoming network connections. If you want more than that, you must use Windows 2000 server, and pay much, much more. (There is no Windows XP server yet.) Many businesses have very light network traffic; they just move files from staff member to staff member; they really don't need a dedicated server computer. The staff computers could easily handle the load except for this artificial limitation.

Apparently because the Windows XP GUI comes from Windows 98, Windows XP has the same problem with desktop icons that Windows 98 has. The icons sometimes flicker. Sometimes they move themselves around, particularly after the user switches monitor resolutions. Also, sometimes the taskbar settings un-configure themselves, as they do in Windows 98.

Only technically knowledgeable people know how to avoid signing up for a Microsoft Passport account during initial use of Windows XP. The name Passport gives an indication of Microsoft's thinking. A passport is a document issued by a sovereign nation. Without it, the nation's citizens cannot travel, and, if they leave, won't be allowed back in their own country. In Microsoft's corporate thinking, the company seems to be moving in the direction of believing that they own the user's computer. Most people are both honest and intimidated. Apparently about 95% do whatever they are asked on the screen. They give their personal information to Microsoft. They don't realize that, if they feel forced to get a Passport account, they should enter almost completely fictitious information, since the real question is not "What is your name and address", but "Can we invade your privacy". The honest answer to this is "No, you cannot invade my privacy", and the only effective way to communicate that is to give completely fictitious information. Since it is the educated people who have computers, Microsoft is building a database of the personal lives of educated people. Microsoft knows when they connect and from what IP address (which tends to show the area), what kind of help they ask, and information about what they are doing with their computers, including what music they like. It is not known, and there is no way to know, how much Microsoft or other organizations make use of this information, or their plans for future use.

Not only has Windows XP definitely gone further in the direction of allowing the user less control over his or her own machine, but with Palladium, Microsoft apparently intends to finish the job: Microsoft will have ultimate control over the user's computer and therefore all his or her data. Even now, under Windows XP, a recent security patch requires that the user agree to a contract that gives Microsoft administrator privileges over the user's computer. The contract says that if a user wants to patch his or her system against a bug which would allow an attack over the Internet, he or she must give Microsoft legal control over the computer. See this article also: Microsoft's Digital Rights Management-- A Little Deeper. You may need to be a lawyer to take apart the crucial sentence. "These security related updates may disable your ability to copy and/or play Secure Content and [my emphasis] use other software on your computer" legally includes this meaning: "These updates may disable your ability to use other software on your computer." Note that the term "security related updates" is meaningless to the user because the updates have no relation to user security. So, the sentence effectively means that Microsoft can control the user's computer without notice and whenever it wants. That kind of sentence is known in psychology as "testing the limits". If there is no strong public complaint about this, expect to see more and stronger language like this.

This Register article shows the direction Microsoft is going: MS Palladium protects IT vendors, not you. Absolute power corrupts absolutely, and Microsoft is well down that road. See this ZDNet article, also: MS: Why we can't trust your 'trustworthy' OS.

Microsoft's self-destructiveness does not mean that the user should be self-destructive. There is no need to apologize for using Microsoft software. The correct solution to abuse is persuading the abuser to stop being abusive. Once I posted to a Slashdot story a link to an article on a web site of mine. By far the majority of visitors from the Slashdot story used Microsoft operating systems. Rather than feel embarrassed because Microsoft is abusive, action needs to be taken to prevent the abuse. If you are against Microsoft abuse, you are not against Microsoft; you are more pro-Microsoft than Bill Gates.

These Microsoft policies mean that any government which wants to be independent of the United States government, and any government which represents itself as controlled by the people, cannot use Microsoft operating systems, or other Microsoft proprietary systems.




- posted by poopbot: the bot formerly known as pwpbot

gDbEPeshTc Post #361

another success for Open Source

[tps12]

Notice how quickly a patch appeared for this. If this were a Windblowz product, the script kiddies would be having a field day while Micro$hit denied the hole existed.

This is what free software is all about. I personally am not affected, as I prefer Perl to PHP, and my personal server is still down until I can figure out how to patch that Apache hole from a few weeks ago, but I am swollen with pride for my fellow Linux hackers.

Re:another success for Open Source

I wish I could give you mod points for a good troll. But I'll rather post as an anonymous coward to avoid being seen praising a troll in public :)

Re:another success for Open Source

With that attitude, it is a wonder that upstanding citizens such as tps12 continue to stick their necks out for you, karmawise.

PHP flaws, Apache etc....

First off I must admit that I am a staunch supporter of President Bush's 'War On Terror'. However when I first read this article (The Drudge Report is my AOL homepage), I thought it was a stupid idea to even consider recruiting someone above the age of 16 to spy on their neighbours. The best way to go about this would be to teach young children to keep a close eye upon their parents and neighbours. This would best be taught in the state run schools that cost so much tax payer money, and refuse to swear to the Pledge of Alligance. By teaching them to watch over America, there would be a huge re-injection of patriotism back into the education system. Using children, has a number of advantages because children are more likely to go along with orders delivered by a state authority. Secondly, they are innocent, and would be able to gather information readily without raising suspicions of the terrorists they would surveil. And lastly they could be rewarded easily and cheaply with videogames and candy etc. Lastly, the Boy Scouts of America could be put to use, by doing reconnaissance missions in the remoter regions of the American wilderness; the Girl Guides could supply them with food. I'm sure the terrorist camp in Oregon would never of formed if there were 100 Boy Scouts roaming the wilderness looking for Arabs every weekend. In general I support the idea, but think it needs to be reworked to include only children to be the most effective.

www.php.net/downloads.php

[mnordstr]

Parse error: parse error, unexpected T_SL in /local/Web/sites/phpweb/downloads.php on line 81

Huh??! Bad karma ;)

Re:www.php.net/downloads.php

[Henry+V+.009]

I went to upgrade php and got that as well. It's the same for the mirrors. This doesn't bode well.

subconsious homosexuar

Taco is trying to lure you in homosexuality. Look what the hidden message is saying this time.

PHP Vulnerability Announced

PHP | Posted by krow on Monday July 22, @04:20PM
from the who-would-have-thunk-it dept.
corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious seCurity vulnerability in PHP vErsions 4.2.0 and 4.2.1. An intRuder may be able to execute arbItrary code with the privilegeS of the web server. THis vulnerability MaY be exploited to compromise the weB server And, under certain conditions, to gain priviLeged access.' Here's the bugtraq announcement." The hoLe is in the parSing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

-- MMMMMMMMMMMMMMMMMMMM

For anyone concerned about upgrading

They say the only difference between 4.2.1 and 4.2.2 is this fix, so it won't (or shouldn't anyway) break any of your scripts.

Plz Mod Up!.1 Thx!

[You'reAFuckingMoron]

Please mod the above up. I have recently noticed exactly the same thing -- Microsoft was once the very best vendor out there, bar none, about delivering critical patches like this. In fact, there was a time when Microsoft was extremely good at finding and bringing to light critical flaws even in in the products of other vendors. Many, many long hours were spent at Microsoft looking for flaws in products from software luminaries like Lotus, Digital Research, and Word Perfect. But now, Microsoft seems to have lost the fire in their belly, and they're falling behind. A quick glance at their stock price confirms that investors have noticed this unfortunate trend.

I'm glad that Open Source programmers have taken up the call, and started to finally deliver high quality, unbreakable products. Imagine! The PHP group has a fix out on exactly the same day the bug is released. It's amazing!

Why I love freebsd.

[mike13down]

I'm not sure how long it took, but the freebsd ports have already been updated.
Since the admins over at NYI.net showed me the light, I have been installing FreeBSD on every machine I can get my hands on, even if they are'nt mine.

Where to get the file

Download directly from here. Change the server name to a mirror closer to you if you want.

http://uk.php.net/distributions/php-4.2.2.tar.bz 2
or
http://uk.php.net/distributions/php-4.2.2.t ar.gz

Openoffice

[Cardhore]

Openoffice just released 1.0.1. But I guess that' just not as important as a minor PHP release. Don't moderate this by the way; there's nothing really interesting to say regarding this article. Here, I'll sum it all up: blah blah blah, PHP SUCKS/RULES, blah blah blah, this just shows how quickly open source response time is to security alerts, or how buggy open source is. PHP rules, look at all these websites that use it or PHP sucks, it's just like C, etc. There. Now read about OPENOFFICE BABY!

News and Issues

*
Mozilla
We upgraded mozilla integration from 0.9.5 to 1.0 * Installation
The installation sets now contain a detailled installation guide in pdf format. After unpacking the installation tarball, you should find the file "installation_guide.pdf" with detailled instructions on how to create single user or network installations of OpenOffice.org 1.0.1. The french, german and italian communities have completed translations of this guide which you will find in the respective installation sets instead of the english ones. Translations to other languages are in preparation. They are collected at http://documentation.openoffice.org/setup_guide/in dex.html.
* Solaris/sparc patches
The Solaris/sparc version needs the following patches:
o If you have Solaris 8 (sparc), patches 108434-01 and 108435-01
o If you have Solaris 7 (sparc), patches 106387-8
o The patches are available at sunsolve.sun.com.
+ Instructions: Search for the appropriate patch numbers and download
+ Uncompress the files
+ cd to the directory containing the patches
+ As root, execute the following:
prompt> patchadd [patchnumber]
+ (repeat as needed for Solaris 8)
Bug Fixes

This is a brief description of bug fixes for 1.0.1. You can click on the corresponding IssueZilla number to find out more details.
* Several file saving operations tended to crash OpenOffice.org due to unreadable characters in the filename path. This has been fixed. (IZ 4655)
* Fontcache problems have been solved (IZ 4366)
* Font server discovery has been improved. (IZ 1610)
* Autopilot functions didn't work when OOo is network installed on read-only partitions. This is fixed now. (IZ 4735)
* Fixes for Thesaurus (OOo used to crash when changing the language in spell checking) (IZ 4435)
* Any hyphenation dictionary should work now under any locale. (IZ 4555) (IZ 4687)
* OOo used to freeze when programs access /dev/dsp - for instance slide transitions in OpenImpress froze when they are accompanied with sound handled by the gnome sound daemon. This has been fixed now. (IZ 4353)
* Certain fonts caused the installation not to work in certain setups. This has been fixed. (IZ 4468)
* Fix compilation of MailDocumentConverter with optimisation (IZ 5523)
* Many mismatches between memory allocation (array context) and de-allocation (not array-context) throughout the code have been fixed (IZ 5181)
* Fixes for Costa Rica Spanish locale settings (IZ 2285)
* Changed the default to convert Excel Ole objects to Calc. This caused trouble in opening a large PowerPoint document with embedded Excel Ole objects. (IZ 4131)
* A locale problem when starting OOo has been fixed (IZ 5445)
* Chinese input method 'miniChininput' fixed (IZ 5157)
* Fix for currupted text in case the application windows is partially out of the screen (IZ 5954)
* Spadmin did not check for ghostscript correctly (IZ 3763)

tHANKS

Something tells me I shouldn't be doing this

[questionlp]

but... I have mirrored the PHP 4.2.2 tar/bz2 ball on my server (over DSL)... you can access it via FTP at closedsrc.org with anon/anon, or the link below:

ftp://anon:anon@closedsrc.org/.

The md5sum file is based on the md5 checksum provided by the FreeBSD port distinfo file.

I know I'm asking for it...

Re:Something tells me I shouldn't be doing this

[questionlp]

It also looks like the us3.php.net mirror is working... the download page can be had at http://us3.php.net/downloads.php.

Why is this not front-page?

This is one of the most-installed Apache modules. If this was an IIS exploit you know it'd be on the front page. I don't really mind biased comments in the stories as much, but to actually HIDE news because it goes against the notion that Open Source is invincible is really pathetic.

Re:Why is this not front-page?

So True. It just helps establish that the Open Source and LinUCKS appologists are no different than the m$ft appologists

Re:Why is this not front-page?

[quinto2000]

Here's one reason:

Impact

Both local and remote users may exploit this vulnerability to compromise
the web server and, under certain conditions, to gain privileged access.
So far only the IA32 platform has been verified to be safe from the
execution of arbitrary code. The vulnerability can still be used on IA32
to crash PHP and, in most cases, the web server.

This isn't really a problem on the most widely used platforms for PHP. I was looking to see if the new Debian package had been uploaded yet, but now I'm not even going to bother. I don't care if someone "may" crash the webserver that much.

Re:Why is this not front-page?

[Vader82]

One question? Whats the response time from when the post hits bugtraq til the time there is a fix available just about everywhere? And compared to windows, the response time is? Hmmmmmmmm, ok then.

Re:Why is this not front-page?

Based on things like the "MSNTV 911 Bug" Microsoft turns them around in under 48 hours...
Of course you didn't read about the speed of the bug fix on SlashDot. That would be counter-intuitive for a site that should be renamed "News for LINUX Nerds and Microsoft haters"

IA32 "safe" from this?

[Dr.Dubious+DDQ]

If I read the bugtraq announcement correctly, on IA32 (including, I assume, my K6-2 Linux Box hosting the webserver) is "safe" from remote code execution (but the server can still be crashed by the exploit). Did I read that right?...

now they tell us!

[larry+bagina]

It sure would have been nice to have recieved this warning yesterday, before my linux box got rooted :( Fortunately, my unsuported sound card caused a kernel panic before they could do anything besides delete some of my kde themes. Props to the morse-code panic lights!

*sigh*

[mar1no]

once again, notice the "may" and the "certain circumstances": This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access. time and time again, i see this in bug announcements, they always throw out the worse possibility, when in fact the majority of people wont be harmed anymore than a blind man tryin to swat a fly.

Re:*sigh*

[dzym]

But then again, the good folks at Apache didn't think the chunked encoding vulnerability could be used to execute arbitrary code on 32-bit platforms.

Gobbles proved them wrong.

how do i apply the patch?

newbie here. the file only came with *.patch file and no instructions

Re:how do i apply the patch?

[ipinkus]

newbie here. the file only came with *.patch file and no instructions

You need the source code.... In your newbie case however, I suggest that you wait until your Linux distribution provides an updated package for you. (Hopefully you're running Debian or something similar in which case (apt-get update; apt-get upgrade) may work)

Apache 2.0.39 incompatibility

[Scoria]

A bug has existed since Apache 2.0.39's release that causes PHP compilation to fail under certain conditions. I'm somewhat astonished that the PHP group neglected to repair it.

A patch is publicly accessible via my webserver here (http://www.initialized.org/patches/php4.2.2-apach e2.0.39.diff).

To install the patch on a Unix machine and install PHP using apxs:

(r) designates commands that must be executed as the superuser (root).

1. Download the tarball. I recommend using us2.php.net, Hurricane Electric's mirror.
2. Execute 'tar xvfz php-4.2.2.tar.gz' from a shell.
3. Execute 'cd php-4.2.2'.
4. Execute 'wget http://www.initialized.org/patches/php4.2.2-apache 2.0.39.diff'.
5. Execute 'patch sapi/apache2filter/php_functions.c php4.2.2-apache2.0.39.diff'. This command will apply the patch.
6. Execute './configure --with-apxs2'. You may specify further options (such as --with-mysql if your applications require MySQL support) following "--with-apxs2".
7. (r) Execute 'make'.
8. (r) Execute 'make install'.
9. (r) Restart Apache. 'apachectl restart' is the most common method of doing so.

If you have any questions or encounter difficulties, feel free to email me. ;)

-- Scoria

Re:Apache 2.0.39 incompatibility

[Scoria]

I incorrectly assigned the "superuser" label to the command 'make'. You may execute the 'make' command either as root or a normal user.

'make install', however, must be performed as root.

Re:Apache 2.0.39 incompatibility

[chregu]

It's a security bug fix release. Only this bug was fixed to get it out as soon as possible. PHP 4.2.3 will have more bugs fixed (+ a proper QA) and should be released in the next weeks.

chregu

Re:Apache 2.0.39 incompatibility

[Icy]

Apache2 is not supported by php at all, its just for the bleeding edge few. This bug was corrected in php's cvs long ago, and bugs.php.net even had a large banner telling everyone to not report the bug and get the latest snapshot. That worked for a while until the cvs of apache2 had some internal changes that required changes in php that in turn made the php cvs (and snapshots) require apache-2.0.40 (the unreleased cvs version).

If you are going to be playing around on the bleeding edge, you mine as well checkout the cvs versions of both, skip the patching, and have some real fun :)

--Matt

Re:Apache 2.0.39 incompatibility

[SiMac]

Or you can get the STABLE version from http://snaps.php.net/ which works with Apache 2.0.39, although I seem to be having a few problems with it.

Simon

Shouldn't be a problem

While the mirror is a good idea, most folks aren't going to download from an unofficial/untrusted source - so you probably won't get hit with too many downloads. Thanks for the kind gesture, though! :)

Re:Shouldn't be a problem

[questionlp]

Just trying to do whatever a poor slob like me can do... can't do much else since I don't have the bandwidth nor the space to setup an official mirror. Maybe one of these days I can :)

Re:Shouldn't be a problem

[JCCyC]

While the mirror is a good idea, most folks aren't going to download from an unofficial/untrusted source

Not necessarily. Get the MD5 sum from the official site, then the tarball from the unofficial site. If it bunzips like a duck and md5sums like a duck...

Re:Shouldn't be a problem

[atomhund]

is it a gerbil?

420 makes you vulnerable!

[Thing+1]

The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1.

I can understand a certain amount of vulnerability after 420...

X86 Linux?

[Chuck+Chunder]

According to the announcements the only thing the vulnerability can do is cause your webserver to crash.

Patch, Crack or Post

[Perdo]

Anyone with anything intelligent to add to this discussion is either busy patching or cracking

NOT posting

Things like this..

[Weffa]

Things like this happens every day, and what makes me feel good is that I don't have to keep up with Bugtraq and other sources to find out when my business is affected. Instead I receive personalized e-mail alerts.

The service: http://securitywarnings.com/info

Debian wins again

Once again, people using Debian's stable branch never had to take part in a vulnerability caused by unnecessary upgrading.

Debian users only upgrade the bits they really need to be current, and shake their heads sadly at the Redhat and Mandrake users downloading or buying the exploit of the month.

Woohoo 8=====D

I just installed PHP on a Apache server that's running on a 2 liter of Coke. d00d, it rox!

Re:Woohoo 8=====D

My original subject line was:

WooHoo!!!!!!!!!!!!!!

It said it was ascii art

So I changed it to:

8======D

You guys sure can code

Re:Woohoo 8=====D

[drpatt]

I was having real problems with Apache 2 locking up, but after changing the points and condenser, and replacing the Rochester QuadraBog with a Holly 4 barrel, everything is fine. Next I'll try it on my old Celeron Diesel. Makes a lot of smoke, but runs steady.

WHERE ARE THE MOD POINTS?

They are all at -1

The trolls are winning Taco

last post

End of discussion!!!

Be Careful!!!

[lo_fye]

I upgraded to 4.2.2 in the middle of developing a site for a client (I know - big "No No") and it was TOTAL BADNESS My login procedure and several sections fo the site just stopped working. Apparently 4.2.2 configures the system such that redirects do not work the same. Needless to say this turned my dev server upsidedown in a mad rain of chaos. Had to do a rollback and just forget about it for now. Once the site works I'll reinstall and debug. caveat emptor.

No Root

[SiMac]

It's not the same sort of exploit as most IIS exploits. A IIS exploit gives someone access over an entire server. This exploit gives access to a shell which could read Apache-readable files and execute programs. It might even be able to write to /tmp. But no important files can be deleted or written to.