Slashdot Mirror


Security Hole Found in 4.3.0

Saint Aardvark writes "The good folks at PHP.net have warned of a serious vulnerability in PHP 4.3.0: 'Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs.' It's recommend that you upgrade to 4.3.1 right away."

2 of 34 comments (clear)

  1. Re:Is It Just Me? by sporty · · Score: -1, Flamebait

    I believe it's a problem with the fact that PHP doesn't follow an OO paradigm. Why do I say that, as if it has importance? Because it has some berring on security.

    For instance, if there was a file class that managed these permission problems, and it was deemed secure, then that's it. If someone managed to bypass this security check, the security manager is busted.

    PHP also has a very archane architecture to it that is a lot of spaghetti code. If you ever have to develop a plugin for php, you wind up using a bunch of predefined macros but no real api's for creating a plugin.

    For instance, take a look at stxx and struts. Struts created a base class, a plugin class, and stxx implements it. If struts's security manager doesn't want you to use its api in certain ways, you simply can't. No pointer arithmatic to simply start reading memory. Granted, you MIGHT be able to use relfection to read some information about the classes that struts uses, you can't really get it to execute them unless you write a malicious plugin.

    In this case, it's just php and the spaghetti code that realizes it.

    --

    -
    ping -f 255.255.255.255 # if only

  2. so what by KilerCris · · Score: 1, Flamebait

    4.3.0 is crap anyway. I upgraded to it and had nothing but trouble. Most servers I've seen are sticking with 4.2.3