Hi Vincent, all I found this the other day:
http://archives.neohapsis.com/archives/bugtraq/2003-06/0027.html ..., and I thought I should share this info and a possible fix: --- php.ini 2003-01-06 05:40:15.000000000 +0100 +++ php.ini.oden 2003-06-05 21:58:02.000000000 +0200 @@ -191,7 +191,7 @@ ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. -disable_functions = +disable_functions = phpinfo ; Colors for Syntax Highlighting mode. Anything that's acceptable in ; <font color="??????"> would work. --- php-ini.spec 2003-01-07 23:47:00.000000000 +0100 +++ php-ini.spec.oden 2003-06-05 21:56:40.000000000 +0200 @@ -1,6 +1,6 @@ Name: php-ini Version: 4.3.0 -Release: 1mdk +Release: 2mdk Group: Development/Other URL: http://www.php.net License: PHP License @@ -51,5 +51,8 @@ %doc %{_docdir}/%{name}-%{version}/* %changelog +* Thu Jun 05 2003 Oden Eriksson <[EMAIL PROTECTED]> 4.3.0-2mdk +- temporary fix for the PHP XSS exploit in phpinfo() + * Sat Jan 4 2003 Jean-Michel Dault <[EMAIL PROTECTED]> 4.3.0-1mdk - New package Chears. -- Regards // Oden Eriksson, Deserve-IT.com
