Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Hole Found in 4.3.0

Posted by krow on Monday February 17, 2003 @09:46AM from the let's-all-sing-the-doom-song dept.

Saint Aardvark writes "The good folks at PHP.net have warned of a serious vulnerability in PHP 4.3.0: 'Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs.' It's recommend that you upgrade to 4.3.1 right away."

3 of 34 comments (clear)

Min score:

Reason:

Sort:

Apache: Security Hole Found in 4.3.0 by Trak · 2003-02-17 09:52 · Score: 5, Funny

Damn, I just installed 2.0.44. I'm so behind the curve!
Um ... misleading title? by legLess · 2003-02-17 10:01 · Score: 4, Insightful

One would hope it could make made clear in the title (currently: "Apache: Security Hole Found in 4.3.0") that this is in fact a PHP hole, not an Apache one.

--
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Re:Finally by dietz · 2003-02-17 12:07 · Score: 4, Informative

Actually, if you install this as an apache module, you aren't vulnerable.

Only people who use the CGI interface (which is probably very few apache users).

So posting it under "Apache" was sorta misleading.