Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole Found in 4.3.0

Posted by krow on from the let's-all-sing-the-doom-song dept.

Saint Aardvark writes "The good folks at PHP.net have warned of a serious vulnerability in PHP 4.3.0: 'Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs.' It's recommend that you upgrade to 4.3.1 right away."

34 comments

  1. Apache: Security Hole Found in 4.3.0 by Trak · · Score: 5, Funny

    Damn, I just installed 2.0.44. I'm so behind the curve!

    1. Re:Apache: Security Hole Found in 4.3.0 by Anonymous Coward · · Score: 0

      u mean u just installed apache 2.0.44 not php 2.0.44, right?

  2. eh? by Anonymous Coward · · Score: 2, Insightful

    Apache 4.3.0??? WTF??

    oh wait, they're talking about PHP!!

    and it looks like the CGI version, NOT the Apache module, correct? Please clarify for the morons in the audience such as myself.

    So the 3 guys that actually use PHP as a CGI module can upgrade and the rest of us can go back to jerking off!

    1. Re:eh? by anthony_dipierro · · Score: 2, Informative

      and it looks like the CGI version, NOT the Apache module, correct? Please clarify for the morons in the audience such as myself.

      Not only is it only the CGI version, but it's only version 4.3.0 of the CGI version.

  3. Um ... misleading title? by legLess · · Score: 4, Insightful

    One would hope it could make made clear in the title (currently: "Apache: Security Hole Found in 4.3.0") that this is in fact a PHP hole, not an Apache one.

    --
    This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
    1. Re:Um ... misleading title? by Anonymous Coward · · Score: 0

      Not only that, but it doesn't even affect you if you use the apache module, so it's primarily for people running PHP under OTHER web servers.

  4. Is It Just Me? by 4of12 · · Score: 1, Interesting

    Or does it seem like PHP has been afflicted with a lot of vulnerabilities lately?

    Maybe the number of news worthy PHP vulnerabilities is a testament to how widely the language is deployed. And, MySQL has had its share, too.

    But the Apache and Linux components of "LAMP" seem to have been relatively secure by comparison.

    --
    "Provided by the management for your protection."
    1. Re:Is It Just Me? by sporty · · Score: -1, Flamebait

      I believe it's a problem with the fact that PHP doesn't follow an OO paradigm. Why do I say that, as if it has importance? Because it has some berring on security.

      For instance, if there was a file class that managed these permission problems, and it was deemed secure, then that's it. If someone managed to bypass this security check, the security manager is busted.

      PHP also has a very archane architecture to it that is a lot of spaghetti code. If you ever have to develop a plugin for php, you wind up using a bunch of predefined macros but no real api's for creating a plugin.

      For instance, take a look at stxx and struts. Struts created a base class, a plugin class, and stxx implements it. If struts's security manager doesn't want you to use its api in certain ways, you simply can't. No pointer arithmatic to simply start reading memory. Granted, you MIGHT be able to use relfection to read some information about the classes that struts uses, you can't really get it to execute them unless you write a malicious plugin.

      In this case, it's just php and the spaghetti code that realizes it.

      --

      -
      ping -f 255.255.255.255 # if only

    2. Re:Is It Just Me? by Anonymous Coward · · Score: 1, Insightful

      Blaming security vulnerabilities on a lack of OO principles is misguided and wrong.

      Java still has occasional vulnerabilities. Java was designed with a very robust security model from the very beginning, however vulnerabilities still pop up on occasion. Albeit not very often, but they exist. J2EE is every bit as vulnerable to JVM exploits as any other Java application. Ultimately, it's the implementor who is responsible for security.

      I can't speak to the internals PHP, it may be spaghetti code, but simply sprinkling magic OOP pixie dust will not remove any and all security issues. You can write an insecure program, regardless of design or methodology, if you don't know what you're doing.

      PHP's remote file inclusion and execution -- this is a huge mis-feature from a security standpoint. Whether PHP is written in C++, assembler, Java, or Lisp; whether that feature is done with OOP and design patterns, that feature is dangerous regardless of implementation!

      Look at OpenBSD. It's definitely not OO, however very robust, and historically, very secure. The programmers know what they're doing.

      Ultimately, the programming team's collective experience, intelligence, and paranoia determines how secure any application is.

    3. Re:Is It Just Me? by sporty · · Score: 1
      Blaming security vulnerabilities on a lack of OO principles is misguided and wrong.


      No, I'm using OO as an example of the good use of it. Php has a problem with badly written internals, based off of spaghetti code and procedural programming.

      Writing stuff in OO is a little harder to make memory leaks, while possible. Especially if you don't use malloc explicitly. Deleting all your objects (or implied in the case of garbage collection) as well as a well writen API, in the case of java and ruby, will help you not write bad code. It will help you keep organized. Dismissing OO is misguided and wrong as well.

      Next thing I know, i'm gonna be told to dismiss seatbelts, since if I drive perfectly, I won't ever need them!
      --

      -
      ping -f 255.255.255.255 # if only

    4. Re:Is It Just Me? by Anonymous Coward · · Score: 1, Insightful
      I think it'd be safer, and more appropriate, to say "badly written internals" cause problems, than the lack of OO.

      I believe it's a problem with the fact that PHP doesn't follow an OO paradigm.


      would be more appropriately (less inflammatory) written:

      I believe it's a problem with the fact that PHP is badly written.


      I suppose we can agree that well-designed languages should, in theory, promote well-written code. E.g. see the discussion of Perl6, and doing away with crappy legacy syntax that only muddies the language.

      However, we all know there isn't, and most likely never will be, a "silver bullet". Saying "X is bad because it's written [with|without] design paradigm Y" is generally misguided and wrong, at least for the majority of high-level ideologies like OOP or even XP.

      Solid code, secure APIs, robust runtime environments -- these are not exclusive to OOP. I would almost go so far to say that newer languages such as Java, Ruby, Python (even C#, maybe) are on average more secure because they were developed within the last decade (or so), and the language creators had 20/20 hindsight into the shortcomings of other languages and libraries.
    5. Re:Is It Just Me? by sporty · · Score: 1

      Not saying it's bad because of not using OO..just not using OO makes it easier. But hey, procedural spaghetti code is up to the designer, not me :)

      --

      -
      ping -f 255.255.255.255 # if only

    6. Re:Is It Just Me? by meme_police · · Score: 1

      And Linux is relatively unsecure compared to other OSes. I prefer OAPP, OpenBSD-Apache-Postgresql-PHP.

      --

      The meme police, They live inside of my head

    7. Re:Is It Just Me? by Anonymous Coward · · Score: 0

      Apache sucks like a homo.

    8. Re:Is It Just Me? by Anonymous Coward · · Score: 0

      How familiar are you with the internals of PHP and the Zend Engine?

    9. Re:Is It Just Me? by sporty · · Score: 1

      A bit. I've looked into writing modules. Nasty stuff.

      --

      -
      ping -f 255.255.255.255 # if only

  5. cgi vulnerability by AllMightyPaul · · Score: 3, Interesting

    And just two articles down on the homepage, in the Developers section, there is an article about the dangers of using CGI. How ... ironic?

  6. Finally by Almace · · Score: 3, Funny

    <mandatory microsft bashing>
    Apache can have ALL the features of IIS.
    </mandatory microsft bashing>

    --
    Remember,democracy never lasts long.It soon wastes, exhausts and murders itself. John Adams (1814)
    1. Re:Finally by dietz · · Score: 4, Informative

      Actually, if you install this as an apache module, you aren't vulnerable.

      Only people who use the CGI interface (which is probably very few apache users).

      So posting it under "Apache" was sorta misleading.

    2. Re:Finally by JediTrainer · · Score: 1, Offtopic


      Epeche-a cun hefe-a ELL zee feetoores ooff IIS. Bork Bork Bork!
      </mandatory microsoft borking>

      --

      You can accomplish anything you set your mind to. The impossible just takes a little longer.
  7. I could be wrong but... by SiMac · · Score: 1

    I could be (and very possibly am) wrong, but doesn't this only affect you if you've installed PHP in your cgi-bin? Otherwise, you can't ignoring .htaccess files by calling PHP directly.

    There will always be a local vulnerability where a user could install the PHP binary, but as long as you give users CGI access you are vulnerable to the same kinds of things through a Perl script or a CGI written in C.

    Simon

  8. Thank god... by Jellybob · · Score: 1

    it's just the CGI version... I saw this just before I went to bed, and didn't really feel like upgrading my PHP install.

  9. amazing how fast security holes are being found... by dougnaka · · Score: 1

    we now find bugs in versions years before they're ever released, or even planned.... this must have been found by that new government department that monitors everything... would have helped to mention PHP in the title....

    --
    My Linux Command of the Day site : LCOD
  10. What about older versions? by phr2 · · Score: 2, Insightful

    Anyone know if 4.0.2 or 4.1.2 are affected by this bug? Do those versions have serious security probs of their own?

  11. so what by KilerCris · · Score: 1, Flamebait

    4.3.0 is crap anyway. I upgraded to it and had nothing but trouble. Most servers I've seen are sticking with 4.2.3

    1. Re:so what by Anonymous Coward · · Score: 0

      yay mysql_pconnect! ;/

      Ah well, 4.3.1 is supposed to fix that too.

    2. Re:so what by KilerCris · · Score: 1

      From Interesting to Insightful to TROLL?!?! Common!

    3. Re:so what by KilerCris · · Score: 1

      lol...blow me

  12. Net everybody has to upgrade by jakobgrimstveit · · Score: 1

    Note! This upgrade is only relevant for those who have enabled the CLI (command line interface) of PHP. Me, Myself and I can at least relax.

    --
    Jakob Breivik Grimstveit
    "I love deadlines. I love the whooshing noise they make as they go by."
    1. Re:Net everybody has to upgrade by jericho4.0 · · Score: 1
      What. The. Hell. Are. You. Talking. About?
      It seems you might be confusing acronyms or something. CGI != CLI.

      Unless you're trying to make a joke, in which case, the jokes on me.

      --
      "A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
  13. Thank god by scrytch · · Score: 1

    None of my apps use the number 4.3.0, so I'm safe.

    Would it be too much to ask to make headlines make a smidgen of sense in the "older articles" section by actually including something like the name of the product affected?

    Oh wait, it is.

    --
    I've finally had it: until slashdot gets article moderation, I am not coming back.
  14. PHP >= 4.3.0 is not a great update by ptaff · · Score: 3, Insightful

    Class methods are not working as they should in PHP >= 4.3.0; I'd suggest to anyone who does OO in PHP to stay with 4.2.3 as long as they want to keep their scripts working. See for yourself this Bug report

  15. well actucally by Anonymous Coward · · Score: -1, Offtopic
    linux is piss slow.

    #adultmovies&videos Outsidaz H ~blue_bomb@CPE00045a2b5c36-CM014380008566.cpe.net. cable.rogers.com :3 Ryan C.
    * CR679742- H dtwszaiyp@CPE0080c87b08f7-CM000039d22660.cpe.net.c able.rogers.com :3 CR679742-A525
    #divx DeX` H@ gabooga@CPE00e0291e4462-CM023459903105.cpe.net.cab le.rogers.com :3 DeX
    #muzica Boboxxl H Boboxxl@CPE0050ba5121c4-CM014090208732.cpe.net.cab le.rogers.com :3 Bobo
    * cgwg H BeerStylez@CPE0080c6fd7551-CM014410102964.cpe.net. cable.rogers.com :3 cgwg
    #espornsexxxmovies moonbeam H ~moonbeam@CPE0080c6fed02b-CM014100205140.cpe.net.c able.rogers.com :3 moonbeam
    * lwqlfn H ~ufvn@CPE0050fc5e21b7-CM0080378548d8.cpe.net.cable .rogers.com :3 lwqlfn
    #iso100%francais patpy H ~patpy@CPE00e0293918ad-CM0010954a7238.cpe.net.cabl e.rogers.com :3 Gus
    #dreamcast-backups dragonSPA H speezie@CPE00045a85fee1-CM014350105651.cpe.net.cab le.rogers.com :3 ready to do business
    #wareznorth JackDa H Pythus2@CPE0000395c8cf1-CM014270027748.cpe.net.cab le.rogers.com :3 jon
    #teenchat Mak0 H ~Kaka@CPE00a0cce46e95-CM014110200452.cpe.net.cable .rogers.com :3 DONUT FUK WIT MEH
    #ps2iso Antifuse H+ asif@CPE0080c6eaf13b-CM014390012012.cpe.net.cable. rogers.com :3 asif
    #morrisburg stacer H stacer@CPE00045a9af456-CM014410113213.cpe.net.cabl e.rogers.com :3 stacey bitch
    #roms fadeaway H+ x@CPE0080c6e98247-CM014500009736.cpe.net.cable.rog ers.com :3 x
    * pzoc H mhoob@CPE0040f425e4bc-CM012069958736.cpe.net.cable .rogers.com :3 pzoc
    #vcd4free Herbie H+ trilluser@CPE0050bab07f9e-CM014290118665.cpe.net.c able.rogers.com :3 Herbie Haster
    * AeroGold1 H ~123fakest@CPE0048546dff47-CM014330121691.cpe.net. cable.rogers.com :3 Johnny Tightlips
    #Anime-Empire LoKi` H@ PoIaris@CPE00055dd22352-CM014300106024.cpe.net.cab le.rogers.com :3 asd
    #GravityKills Hellish H@ service@CPE0050bacdd2da-CM0f0089809450.cpe.net.cab le.rogers.com :3 Really. Hellish. Try me and see.
    #mp3passion Rajio H ~rajio@CPE000625710f88-CM014390025673.cpe.net.cabl e.rogers.com :3 Rajio
    #mp3heaven skinnymik H ~skinnymik@CPE00a0c5e48243-CM400049337901.cpe.net. cable.rogers.com :3 Skinny Mike
    #blackmp3 xkaos H xkaos@CPE0030ab04e596-CM014240008060.cpe.net.cable .rogers.com :3 xkaos
    #allsexpics CheerGirl H@ victoria@CPE00e02910b3d0-CM014460009122.cpe.net.ca ble.rogers.com :3 Victoria s
    #filipino |llSmKeU H suppp@CPE0060673abc63-CM00e06f23cfc4.cpe.net.cable .rogers.com :3 pretty7
    #1warez Ivanvecto H redvector@CPE0050bac486bd-CM014070226086.cpe.net.c able.rogers.com :3 Ivan the Vector
    #123warez DtvThief H DtvThief@CPE005070220cd4-CM0000398f8e60.cpe.net.ca ble.rogers.com :3 DtvThief
    #0-day-warez willis` H ~shappy@CPE0050da077e50-CM014260020443.cpe.net.cab le.rogers.com :3 WTP
    * ogjui H ogjui@CPE00055dd281c6-CM014090204258.cpe.net.cable .rogers.com :3 hellminion
    #mp3_classical YJ H YJ@CPE0080c6f9013c-CM014340013061.cpe.net.cable.ro gers.com :3 YJ Kim
    #vcd-iso V-chip H+ ~sda@CPE0050180207cb-CM3236313735383831.cpe.net.ca ble.rogers.com :3 The man
    #bookz Soulseer H ~soul7seer@CPE00045adb376c-CM014260028901.cpe.net. cable.rogers.com :3 Murtaza
    #movie-planet [R|B]Devi H ~dev2xx@CPE0080c6f17734-CM013429904437.cpe.net.cab le.rogers.com :3 dev
    * OTC H otuoc@CPE0080c846c246-CM.cpe.net.cable.rogers.com :3 Jedi OTC
    * Slight H ~ilikeit@CPE00e018272b64-CM014340004995.cpe.net.ca ble.rogers.com :3 ilikeit
    #warez-group Yah-Mah-D H ~jackyl_ca@CPE0004e228934b-CM400049798412.cpe.net. cable.rogers.com :3 Jacky Lau
    * bhsq H ~bhsq@CPE00045a9bc9e5-CM400048319635.cpe.net.cable .rogers.com :3 hellminion
    * [PS2]-417 H [PS2]-2035@CPE0080c6e71102-CM014370029774.cpe.net. cable.rogers.com :3 [PS2]-4175
    * [PS2]-660 H [PS2]-0344@CPE00045afe8c36-CM014090205591.cpe.net. cable.rogers.com :3 [PS2]-6601
    #wareznorth Demon729 H Demon729@CPE0050da6906b1-CM014320005963.cpe.net.ca ble.rogers.com :3 Nic Lanthier
    #xbox-prime MagicRay H ~MagicRay@CPE0050da175b1d-CM00803785d9e9.cpe.net.c able.rogers.com :3 MagicRay
    #warezrus Gilgalad H@ jon@CPE005004b34d93-CM014260032729.cpe.net.cable.r ogers.com :3 Bob loblaw
    * ohai H ~ohai@CPE0080c6e9b666-CM0080378658a6.cpe.net.cable .rogers.com :3 ohai
    * luib H ~guriio@CPE0004e22865a1-CM014470012781.cpe.net.cab le.rogers.com :3 luib
    #x-dcc roboninja H ~roboninja@CPE000103d0a045-CM014080219325.cpe.net. cable.rogers.com :3 robo ninja
    #bsd_collective shann0n H sha-nn0n@CPE00045a9b00ad-CM014330140487.cpe.net.ca ble.rogers.com :3 sha-nn0n
    #toronto BirdZzZzZ H ~Lost@CPE00095b0cf865-CM00e06f167876.cpe.net.cable .rogers.com :3 Someone Somewhere
    #ps2-vcd-xbox Kokan33 H@ ~Kokan33@CPE00095b29da12-CM400049788578.cpe.net.ca ble.rogers.com :3 Nisha Mulha
    #ILL-BOTZ [iLL]-780 H [iLL]-839@CPE00045a846edd-CM014400106112.cpe.net.c able.rogers.com :3 [iLL]-780
    #dreamcast-backups Luce13B H ~james@CPE00d0b72e238d-CM.cpe.net.cable.rogers.com :3 james54875697
    #sofia lozenetz H@ ~lozenetz@CPE0020358f0cb4-CM400049889305.cpe.net.c able.rogers.com :3 Lozenetz, Sofia, Bulgaria
    #polska MaRcIn H ~LoveTranc@CPE0080c6efdc0a-CM014300022811.cpe.net. cable.rogers.com :3 TrAnCe 4 EvEr
    * ejke H aphyy@CPE000795169c71-CM014340012876.cpe.net.cable .rogers.com :3 ejke
    * DTXXX H ~BMF@CPE00045a849667-CM014390035881.cpe.net.cable. rogers.com :3 BMF
    #warez-galore siuol H Sioul@CPE0050da811949-CM014500113279.cpe.net.cable .rogers.com :3 Siuol
    #wareznorth smithmatt H ~smith0606@CPE0080c6f9b4f0-CM012059935882.cpe.net. cable.rogers.com :3 Matt Smith
    * Andy_C H w0w0w0w@CPE0080c6ecdea6-CM013309900754.cpe.net.cab le.rogers.com :3 w0w0w
    #isociety MickyKnox H+ ~mickeykno@CPE0050ba1fcd10-CM00003988c060.cpe.net. cable.rogers.com :3 mickeyknox
    * xgiv H djoo@CPE00065b24eaf5-CM400049875881.cpe.net.cable. rogers.com :3 xgiv
    #wgate666 vyadqo H@ kpwt@CPE0050ba50472a-CM014090204258.cpe.net.cable. rogers.com :3 vyadqo
    #Mp3FullAlbums Zoso_lz4 H+ Zoso@CPE0007953466e9-CM0010951c1985.cpe.net.cable. rogers.com :3 Fred Zeppelin
    * sxrjs H oqbznx@CPE0080c6ecdaac-CM00e06f188bda.cpe.net.cabl e.rogers.com :3 sxrjs
    #toronto candybrb H candy75@CPE0080c6ebdd0c-CM008037bbf3d2.cpe.net.cab le.rogers.com :3 hi
    #movieland asadsfdsf H ~dsadas@CPE0050bac6e18e-CM400026347208.cpe.net.cab le.rogers.com :3 root me
    * fuebiq H ~kcgct@CPE000795efb480-CM001095143f91.cpe.net.cabl e.rogers.com :3 fuebiq
    #0-day-warez luppo H ~degrace19@CPE0002e31029a5-CM000039bba060.cpe.net. cable.rogers.com :3 JOE DED
    #warez-central ItalGuy H italguy@CPE0080c6fd899a-CM014390137955.cpe.net.cab le.rogers.com :3 www.ShellsX.com - ShellsX Internet Services
    * nails H thesnail@CPE004005c7b7e1-CM014150004662.cpe.net.ca ble.rogers.com :3 thesnail
    #Solaris [Omega] G@ Omega@CPE0080c6e51bca-CM013349902026.cpe.net.cable .rogers.com :3 Vibhu
    #quickwarez KhuzFTP1 H+ pirc@CPE0080c8dd5688-CM014270030665.cpe.net.cable. rogers.com :3 Khuz
    #toronto AWolfInSh H ~hitz@CR852117-A.cpe.net.cable.rogers.com :3 bong
    #doom-mp3 DomovynA H@ doom@CPE0080c6e929b7-CM.cpe.net.cable.rogers.com :3 DomovynA
    #absoluteiso SIDESHOW H+ SIDESHOW1@CPE0080c832c912-CM.cpe.net.cable.rogers. com :3 me
    #romanialibera AnucSun H ~kitty@CPE00045adb7660-CM0010950e3797.cpe.net.cabl e.rogers.com :3 HelloKittyAngel
    #ottawa usedless H@ nospam@CPE000103e00a2a-CM.cpe.net.cable.rogers.com :3 Useless Bastard
    #asian WyseGuy H WyseGuy@CPE00062572527c-CM400045891968.cpe.net.cab le.rogers.com :3 whatttt
    #urbanvibez OverKi|| H@ dui@CPE000795266993-CM.cpe.net.cable.rogers.com :3 who's care
    #vobvideo heydaddy H@ heydaddy@CPE0080c6fe3f4f-CM014080212340.cpe.net.ca ble.rogers.com :3 john
    #vcd-iso acb2 H+ ~lkjlkj@CPE00e0290e25b9-CM014110202255.cpe.net.cab le.rogers.com :3 lkjlkj
    #mp3albums DD-Mulder H+ FoxMulder@CPE0080c6f830d4-CM013409900067.cpe.net.c able.rogers.com :3 foxmulder
    #psi_palatium }PsiBOT{ H@ _PsiBOT_@CPE0050ba18642d-CM014090218562.cpe.net.ca ble.rogers.com :3 PsiBOT
    #ottawa SeNzFaNz H+ SenzFanz@CPE0000c0b385e2-CM00803786a2f2.cpe.net.ca ble.rogers.com :3 mandm
    #movieland shookones H ~shookones@CPE0050da69059d-CM023459901535.cpe.net. cable.rogers.com :3 shook
    * JCTWA H ~BMF@CPE0002a5f48c09-CM400049329934.cpe.net.cable. rogers.com :3 BMF
    #j.lo Aashanti H@ ~Aashanti@CPE0040f42cd944-CM0080378544b7.cpe.net.c able.rogers.com :3 Aashanti
    * upnrn H ekahv@CPE0040f41d5149-CM400035831479.cpe.net.cable .rogers.com :3 upnrn
    #21+Trivia&FunFlirts Mr_E_Man H@ D_A_D_D_Y@CPE0080c6fcdd27-CM014390135612.cpe.net.c able.rogers.com :3 Wulf Mueller
    * majortom H ~bus3r@CPE00d009446e07-CM014310112122.cpe.net.cabl e.rogers.com :3 PlayharD
    #mp3oldies deoneer H bionicfell@CPE000795eb23db-CM00e06f23cf94.cpe.net. cable.rogers.com :3 herromann
    #mp3passion JBG5000 H ~f@CPE00c026c0ffff-CM023469900191.cpe.net.cable.ro gers.com :3 JohnnyB
    #punkmp3 DV8_ H d@CPE000476323608-CM014100007651.cpe.net.cable.rog ers.com :3 Mr. Dee. V. Eight
    * pOIZOn H ^beer^StYl@CPE0010b507e313-CM014390001125.cpe.net. cable.rogers.com :3 Night
    #mp3passion ouioash H MovieWorld@CPE0060673a024a-CM400049387558.cpe.net. cable.rogers.com :3 Buh
    #intim-net tyby H+ ~tyby@CPE00045a9662f7-CM0010954a5b9b.cpe.net.cable .rogers.com :3 _-=Protected By tyby_oo7=-_
    #mp3passion MollyMaid H ilovetunes@CPE0050bf920854-CM014270030743.cpe.net. cable.rogers.com :3 MollyMaid
    #isotown Trebas H+ treb@CPE0050da6a9e67-CM023489901307.cpe.net.cable. rogers.com :3 GOOGLE SUCKS!!!
    #mp3_blackdeath r-penguin H ~failure_o@CPE0050ba588c69-CM00803785c0c9.cpe.net. cable.rogers.com :3 R-pengin
    #buzz-- frintin H ~frintin@CPE0080c6ea1ee8-CM014340007592.cpe.net.ca ble.rogers.com :3 frintin
    * uye H ~kdbmi@CPE00485465cef8-CM014080009869.cpe.net.cabl e.rogers.com :3 lhbanbar anixf
    #gamingzone Raiden H@ LordRaiden@CPE000001356560-CM0f0099812662.cpe.net. cable.rogers.com :3 Raiden@Home
    #morrisburg CrapAway H@ no@CPE00045a6e9268-CM.cpe.net.cable.rogers.com :3 no
    * arizm H ~dvgftc@CPE0080c6e51cc8-CM0000395cb861.cpe.net.cab le.rogers.com :3 arizm
    * hledyv H ddafcw@CPE0001022d1968-CM3236313836313839.cpe.net. cable.rogers.com :3 hledyv
    #cebu `MaViS_ H ~whywannak@CPE00104bfee919-CM014250012474.cpe.net. cable.rogers.com :3 watcha
    * twotrees H _df@CPE0050ba0a2319-CM400048342037.cpe.net.cable.r ogers.com :3 |df
    #toronto Tukito H ~me@CPE004033af60d2-CM400049890579.cpe.net.cable.r ogers.com :3 ***
    #p4k17z3r03 kvae H@ ~ioxqb@CPE0080c6fe3ef3-CM014470012525.cpe.net.cabl e.rogers.com :3 kvae
    * WinterFex H ~olya@CPE0080c8f30ef5-CM014410126156.cpe.net.cable .rogers.com :3 AnswerBook v1.2.22 (www.AnswerBook.net)
    * Hermia H DaNiEl@CPE00e029332587-CM014270106973.cpe.net.cabl e.rogers.com :3 Majik
    #gayvideos recbert H recbert@CPE00e029257a13-CM400026308888.cpe.net.cab le.rogers.com :3 recbert
    * jofc H ~eyxye@CPE000021cf5688-CM014370011435.cpe.net.cabl e.rogers.com :3 bjntyero ajsaj
    #mp3passion Discount_ H DDoubleJ69@CPE0000391deb5e-CM0000391dea5e.cpe.net. cable.rogers.com :3 Double J
    #smallville-high asdfasdf3 H ~asfsdf@CPE0007952b4429-CM014250035914.cpe.net.cab le.rogers.com :3 Peter
    #political Fundament H pirc@CPE0050badb3bc7-CM014370000243.cpe.net.cable. rogers.com :3 acemc
    #divxvault Devilnut H ~pirc@CPE00045ada061e-CM014340023572.cpe.net.cable .rogers.com :3 skas
    * unhgi H darkStYlEz@CPE0060673d52a0-CM400047232199.cpe.net. cable.rogers.com :3 unhgi
    * Vulva H ~eggdrop@CPE0050ba6d4e64-CM008037857f2b.cpe.net.ca ble.rogers.com :3 Marge
    #divx MuD H Pol213@CPE0007954b3667-CM014380030975.cpe.net.cabl e.rogers.com :3 Polaris IRC with Hotzi[NM]s Changes
    #battlerap briT-ChAn G _bbritttt@CPE00045a7812d7-CM008037857f50.cpe.net.c able.rogers.com :3 loughEed
    #Blu3|army Triveeeee H mateo@CPE00045a849e4b-CM0010954a6c7b.cpe.net.cable .rogers.com :3 jewinoven
    #wee Nejifer G ~neejo@CPE00045a6933a0-CM0010954a2da3.cpe.net.cabl e.rogers.com :3 nejifer
    #warez-central Jin H FiXi@CPE0080c6f96dc0-CM.cpe.net.cable.rogers.com :3 N/A
    #isociety EXP-626 H+ Vince@CPE00e02928fd47-CM023489902412.cpe.net.cable .rogers.com :3 Vince
    #freemovies Dukeklown H+ ~mtb@CPE00045a25eedc-CM008037854405.cpe.net.cable. rogers.com :3 mtbmaniak
    #bras BNC-[6124 H eutdg@CPE000625081f6f-CM014280006902.cpe.net.cable .rogers.com :3 Black-Zombie
    #bsd_collective B-4 H ~private@CPE0004e23b01fd-CM014310117468.cpe.net.ca ble.rogers.com :3 Private
    #FAST-MOVIES wolf2103 H wolf2103@CPE0050ba0d583b-CM014450002152.cpe.net.ca ble.rogers.com :3 wolf2103
    #terahertz perpetual H ~perpetaul@CPE00e0293da63c-CM014110207164.cpe.net. cable.rogers.com :3 perpetualn
    * yipu H yucj@CPE0080c6f8f05c-CM023459908388.cpe.net.cable. rogers.com :3 yipu
    #terahertz hixandidr H UNIX@CPE0048548c6158-CM014210015322.cpe.net.cable. rogers.com :3 rashmied
    #abadzia kkdu H ~evno@CPE0050ba0bc84b-CM014120010920.cpe.net.cable .rogers.com :3 kkdu
    #freak'nwarez Scotsman H pilsboy@CPE00207800db65-CM014340005218.cpe.net.cab le.rogers.com :3 Tiger WoodZ
    #wareznorth casper21 H ~casper@CPE0050baccb56a-CM014090216909.cpe.net.cab le.rogers.com :3 casper21
    #buzz-- mushlot H ~mushlot@CPE00045a77cbc5-CM014110005032.cpe.net.ca ble.rogers.com :3 mushlot
    #pinoymusik ^allen H+ mins@CPE0040cab4eb6b-CM00109522cdea.cpe.net.cable. rogers.com :3 server
    #mp3download DieGo`m2v H+ DieGo_m2v@CPE0080c6e999d1-CM014490006446.cpe.net.c able.rogers.com :3 I Luv No Name
    #ottawa Am0k`- H+ Line6@CPE00045a705d2f-CM024400006008.cpe.net.cable .rogers.com :3 Macabre
    #mp3oldies tunesrus H+ gauthier@CPE0080c6fda8b4-CM014320000903.cpe.net.ca ble.rogers.com :3 Jeff Gauthier
    * kmcnih H ndopkn@CPE0000e8ebac8c-CM00803785d6c8.cpe.net.cabl e.rogers.com :3 kmcnih
    #Vancouver-Free Molsen H ~Molsen@CPE0004e228ef45-CM014110004797.cpe.net.cab le.rogers.com :3 Molsen
    #divx4free JEJonedd H ~bwayne@CPE0030ab1ad88e-CM014480106758.cpe.net.cab le.rogers.com :3 J Peterman
    #toronto CanadaMan H buddy@CPE0080c6ef9190-CM0f2029968050.cpe.net.cable .rogers.com :3 xxx
    #adult_flirt_room SwtCdnGal G+ ~maybe@CPE00045a841b30-CM023459905217.cpe.net.cabl e.rogers.com :3 fragile..handle with care
    #BlueGrass tyopman H ~kakjwk@CPE0002dd6d0406-CM013299904628.cpe.net.cab le.rogers.com :3 kakjwk
    #UpperCanada JangoFett H@ ~JangoFett@CPE00045ad25c3c-CM.cpe.net.cable.rogers .com :3 BobaFett
    #SD-Recruit SD-Banned G+ ~jayblack@CPE0004e235fe1f-CM014330023232.cpe.net.c able.rogers.com :3 john blackshore
    #moime _{Tril}_ H Boycie2894@CPE0007951ce0fe-CM00e06f181720.cpe.net. cable.rogers.com :3 World
    * rigboptd H ~rigboptd@CPE0050bac230b3-CM013020003335.cpe.net.c able.rogers.com :3 rigboptd
    #Free-Style Whip`Me H@ None-@CPE0020182967e7-CM00003919ca5e.cpe.net.cable .rogers.com :3 I am f*f !
    #sex-on-the-beach ShUtGoNe H ShUtDoWn_@CPE004854811874-CM000039067e5e.cpe.net.c able.rogers.com :3 hi ha cowboy
    #bras BZT-[1094 H scan@CPE001095ca6a6f-CM0010954a6a6f.cpe.net.cable. rogers.com :3 Black-Zombie
    #erathia macguard H@ ~ybbot@CPE0050bfd36d1c-CM400045981799.cpe.net.cabl e.rogers.com :3 Your Bot
    * espao H ~nnno@CPE00c049ae5c5c-CM0010950d7819.cpe.net.cable .rogers.com :3 espao
    * awdrbm H ~cctc@CPE00045af8d768-CM400047231645.cpe.net.cable .rogers.com :3 awdrbm
    #Canada metoo H ~Bilbo@CPE00045af92b9d-CM023469905401.cpe.net.cabl e.rogers.com :3 Bilbo
    * slbn H nujm@CPE0000b49e2337-CM014260028036.cpe.net.cable. rogers.com :3 feywv odas
    #divx-movies frydude H UNIX@CPE00e02900d4a3-CM014310117702.cpe.net.cable. rogers.com :3 pardeep
    #isotown Dimeboy H Dimeboy@CPE0000c0753fe3-CM.cpe.net.cable.rogers.co m :3 Dimeboy
    #mp3oldies eskape H@ eskape@CPE000795b99487-CM014280006823.cpe.net.cabl e.rogers.com :3 eskape
    #constanta canadianu H bogdan@CPE0010dccca40c-CM00803785bf71.cpe.net.cabl e.rogers.com :3 Bogdan B
    * kgxojd H IceStylez]@CPE00e0988e52b2-CM014340029758.cpe.net. cable.rogers.com :3 kgxojd
    #triviabites Type-Zero H@ adam@CPE0050ba8d0079-CM014340002330.cpe.net.cable. rogers.com :3 #grand-central
    #x-dcc trickdadd H tdcao@CPE0020ed6aa186-CM014270104623.cpe.net.cable .rogers.com :3 trickdaddy93
    #lpsg [M-Mzzzz] H@ ~M-M@CPE0050ba56e90b-CM400049341339.cpe.net.cable. rogers.com :3 M-M
    * yxiq H zhnmt@CPE0040f44802d7-CM014390031120.cpe.net.cable .rogers.com :3 yxiq
    #ftpwarez Cipher H Cipher@CPE00d00939f719-CM0f2029967948.cpe.net.cabl e.rogers.com :3 Cipher
    #audiobookz run4b H run4b@CPE0080c6e91099-CM014370011177.cpe.net.cable .rogers.com :3 Home User
    * vkgoxgmv H ~tgdbp@CPE00d00939594b-CM014370011435.cpe.net.cabl e.rogers.com :3 lvmbxdyv sqpqa
    #gaytoronto gearAWAY H gearbox17@CPE0080c6ef5c06-CM014080205378.cpe.net.c able.rogers.com :3 =)
    * wcqowk H ~nhkh@CPE0080c6fce75b-CM0080378685d3.cpe.net.cable .rogers.com :3 wcqowk
    #fordot _Cobra_ H@ ~cobra@CPE0050bae1e85f-CM013020004503.cpe.net.cabl e.rogers.com :3 Foxmotorsport
    #guanacos GeRaRdItO H ~PALABRAVI@CPE0050bf922fe1-CM014310117661.cpe.net. cable.rogers.com :3 Palabra Viva
    * twyi H icvk@CPE0080c6ec588e-CM014260028267.cpe.net.cable. rogers.com :3 twyi
    #bsd_collective fd0 H@ ~i@CPE00606730fd71-CM014300000058.cpe.net.cable.ro gers.com :3 I
    #xxxparadise tc-kalciu H@ ta_dw-ka@CPE00e01844f452-CM0010954a2184.cpe.net.ca ble.rogers.com :3 6yu
    * tbwq H eaNgezZq@CPE00e07daa38f0-CM013060001659.cpe.net.ca ble.rogers.com :3 tbwq
    #stfu12345 {ACiD_Hig H IceStylez]@CPE00e0988e52b2-CM014340029758.cpe.net. cable.rogers.com :3 SexPussy
    * pcdbzx H aovx@CPE0048541e554c-CM013419900436.cpe.net.cable. rogers.com :3 pcdbzx
    * stinger16 H Alex316@CPE0080c6eb2215-CM400049321039.cpe.net.cab le.rogers.com :3 Alex Soltan
    #freak'nwarez javaheads H Julian@CPE00207807789c-CM014110207174.cpe.net.cabl e.rogers.com :3 Hector
    * odrejq H iyeumw@CPE0008021f8618-CM023469900646.cpe.net.cabl e.rogers.com :3 odrejq
    * rvhoa H qzxq@CPE0050ba4d3eb6-CM400045974722.cpe.net.cable. rogers.com :3 rvhoa
    #audioiso inf0tr8r H@ slick@CPE00c0266dec7a-CM023030004393.cpe.net.cable .rogers.com :3 inf0tr8r
    #divx-movies Altec99 H ~hibiki@CPE0050bafb7fbc-CM023489906401.cpe.net.cab le.rogers.com :3 Hibiki
    #gaytoronto Royal^1 H LoneGuy@CPE006067368738-CM014380008524.cpe.net.cab le.rogers.com :3 LoneGuy
    #x-dcc goodoldda H ~kjkd31@CPE00045a9af43a-CM014260032230.cpe.net.cab le.rogers.com :3 kevin dennis
    * aafx H rfglg@CPE0050228ae8c4-CM012059937694.cpe.net.cable .rogers.com :3 aafx
    **rogers*.com End of /WHO list.
    -
    WHO Too many lines in the output, restrict your query
  16. Patch then, don't upgrade by Anonymous Coward · · Score: 0

    The obvious answer is to patch. I've had to rewrite tiny, but problematic, portions of my PHP code with every upgrade. However, a patch for the same version is a better solution to fixing the security problem. I'll upgrade when I have time and can plan and test properly.