Security Hole Found in 4.3.0

Posted by krow on Monday February 17, 2003 @09:46AM from the let's-all-sing-the-doom-song dept.

Saint Aardvark writes "The good folks at PHP.net have warned of a serious vulnerability in PHP 4.3.0: 'Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs.' It's recommend that you upgrade to 4.3.1 right away."

2 of 34 comments (clear)

Min score:

Reason:

Sort:

Re:eh? by anthony_dipierro · 2003-02-17 11:38 · Score: 2, Informative

and it looks like the CGI version, NOT the Apache module, correct? Please clarify for the morons in the audience such as myself.

Not only is it only the CGI version, but it's only version 4.3.0 of the CGI version.
Re:Finally by dietz · 2003-02-17 12:07 · Score: 4, Informative

Actually, if you install this as an apache module, you aren't vulnerable.

Only people who use the CGI interface (which is probably very few apache users).

So posting it under "Apache" was sorta misleading.