Security Hole Found in 4.3.0

← Back to Stories (view on slashdot.org)

Posted by krow on Monday February 17, 2003 @09:46AM from the let's-all-sing-the-doom-song dept.

Saint Aardvark writes "The good folks at PHP.net have warned of a serious vulnerability in PHP 4.3.0: 'Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs.' It's recommend that you upgrade to 4.3.1 right away."

9 of 34 comments (clear)

Min score:

Reason:

Sort:

Apache: Security Hole Found in 4.3.0 by Trak · 2003-02-17 09:52 · Score: 5, Funny

Damn, I just installed 2.0.44. I'm so behind the curve!
eh? by Anonymous Coward · 2003-02-17 09:56 · Score: 2, Insightful

Apache 4.3.0??? WTF??

oh wait, they're talking about PHP!!

and it looks like the CGI version, NOT the Apache module, correct? Please clarify for the morons in the audience such as myself.

So the 3 guys that actually use PHP as a CGI module can upgrade and the rest of us can go back to jerking off!
1. Re:eh? by anthony_dipierro · 2003-02-17 11:38 · Score: 2, Informative
  
  and it looks like the CGI version, NOT the Apache module, correct? Please clarify for the morons in the audience such as myself.
  
  Not only is it only the CGI version, but it's only version 4.3.0 of the CGI version.
Um ... misleading title? by legLess · 2003-02-17 10:01 · Score: 4, Insightful

One would hope it could make made clear in the title (currently: "Apache: Security Hole Found in 4.3.0") that this is in fact a PHP hole, not an Apache one.

--
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
cgi vulnerability by AllMightyPaul · 2003-02-17 10:08 · Score: 3, Interesting

And just two articles down on the homepage, in the Developers section, there is an article about the dangers of using CGI. How ... ironic?
Finally by Almace · 2003-02-17 10:13 · Score: 3, Funny

<mandatory microsft bashing> Apache can have ALL the features of IIS. </mandatory microsft bashing>

--
Remember,democracy never lasts long.It soon wastes, exhausts and murders itself. John Adams (1814)
1. Re:Finally by dietz · 2003-02-17 12:07 · Score: 4, Informative
  
  Actually, if you install this as an apache module, you aren't vulnerable.
  
  Only people who use the CGI interface (which is probably very few apache users).
  
  So posting it under "Apache" was sorta misleading.
What about older versions? by phr2 · 2003-02-17 17:56 · Score: 2, Insightful

Anyone know if 4.0.2 or 4.1.2 are affected by this bug? Do those versions have serious security probs of their own?
PHP >= 4.3.0 is not a great update by ptaff · 2003-02-18 05:36 · Score: 3, Insightful

Class methods are not working as they should in PHP >= 4.3.0; I'd suggest to anyone who does OO in PHP to stay with 4.2.3 as long as they want to keep their scripts working. See for yourself this Bug report