Slashdot Mirror

← Back to Stories (view on slashdot.org)

PHP 4.3.8 Released, Fixing Remote Security Hole

Posted by timothy on from the constant-progress dept.

christian klink writes "While it was already reported on Slashdot, that PHP5 was released, it was not mentioned that the PHP developers have also announced the release of PHP 4.3.8 which is supposed to fix a major remote security hole in nearly all PHP installations. Additionally this new version adds a workaround for another Internet Explorer bug. The bugs were found by security specialist Stefan Esser of e-matters who is also a member of the PHP developers."

5 of 30 comments (clear)

  1. Re:not exploitable everywhere? by Inominate · · Score: 3, Informative

    register_globals is almost always on, except for small sites with all recently developed code.

    And sessions are also very commonly used.

    Basicly everyone who uses PHP uses one if not both of these.

  2. Temporary solution? by ptaff · · Score: 2, Informative

    A temporary workaround (while distributions update their packages) is to disable the memory_limit parameter. Though it can bring other weaknesses on a server (DoS by memory exhaustion), it's a lesser pain than remote code execution.

  3. Re:what does this cover? by xeer · · Score: 3, Informative

    No, apache 1.3 sites are vulnerable, but you can protect yourself from the memory limit problem temporarily by disabling it as suggested above.

    As people are going to be recompiling PHP it's probably timely to recommend the "--enable-inline-optimization" switch which should be passed to the configure script. More to be found here Oh, and get yourself an accelerator. I use PHP Accelerator although it's not open sourse unfortunately.

  4. Re:Secure yourself with this... by Anonymous Coward · · Score: 1, Informative

    What does that have to do with anything? Do IIS worms check to see what httpd you're running before delivering the payload?

    I turned off memory_limit and set max_execution to 2 seconds for our sites but this still leaves us open to DOS attack (entire server is being swapped out for one running PHP5 - tommorow). We are a special case, everybody else should patch ASAP.

    This is a serious hole, please don't give out incorrect information.

  5. Re:Hype? by Anonymous Coward · · Score: 1, Informative
    PHP Development Team would like to announce the immediate availability of PHP 4.3.8. This release is made in response to several security issues that have been discovered since the 4.3.7 release. All users of PHP are strongly encouraged to upgrade to PHP 4.3.8 as soon as possible.
    I suggest that you learn to read.

    Additionally Stefan Esser from e-matters is one of the PHP Developers and one of their securiy team members, so he is the source itself.