Security Hole Found in 4.3.0

Posted by krow on Monday February 17, 2003 @09:46AM from the let's-all-sing-the-doom-song dept.

Saint Aardvark writes "The good folks at PHP.net have warned of a serious vulnerability in PHP 4.3.0: 'Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs.' It's recommend that you upgrade to 4.3.1 right away."

2 of 34 comments (clear)

Min score:

Reason:

Sort:

Is It Just Me? by 4of12 · 2003-02-17 10:04 · Score: 1, Interesting

Or does it seem like PHP has been afflicted with a lot of vulnerabilities lately?

Maybe the number of news worthy PHP vulnerabilities is a testament to how widely the language is deployed. And, MySQL has had its share, too.

But the Apache and Linux components of "LAMP" seem to have been relatively secure by comparison.

--
"Provided by the management for your protection."
cgi vulnerability by AllMightyPaul · 2003-02-17 10:08 · Score: 3, Interesting

And just two articles down on the homepage, in the Developers section, there is an article about the dangers of using CGI. How ... ironic?