PHP 4.3.8 Released, Fixing Remote Security Hole

christian klink writes "While it was already reported on Slashdot, that PHP5 was released, it was not mentioned that the PHP developers have also announced the release of PHP 4.3.8 which is supposed to fix a major remote security hole in nearly all PHP installations. Additionally this new version adds a workaround for another Internet Explorer bug. The bugs were found by security specialist Stefan Esser of e-matters who is also a member of the PHP developers."

Re:not exploitable everywhere?

[Inominate]

register_globals is almost always on, except for small sites with all recently developed code.

And sessions are also very commonly used.

Basicly everyone who uses PHP uses one if not both of these.

Temporary solution?

[ptaff]

A temporary workaround (while distributions update their packages) is to disable the memory_limit parameter. Though it can bring other weaknesses on a server (DoS by memory exhaustion), it's a lesser pain than remote code execution.

Re:what does this cover?

[xeer]

No, apache 1.3 sites are vulnerable, but you can protect yourself from the memory limit problem temporarily by disabling it as suggested above.

As people are going to be recompiling PHP it's probably timely to recommend the "--enable-inline-optimization" switch which should be passed to the configure script. More to be found here Oh, and get yourself an accelerator. I use PHP Accelerator although it's not open sourse unfortunately.