on 3/3/02 7:39 PM, Ric Maņalac at [EMAIL PROTECTED] appended the following bits to my mbox:
> i personally think that the developer still has > the control in making his php code secure. but how do you > think will this news affect php as one of the most popular > choice for web developers? Probably doesn't belong so much on the PHP-DB list, since databases not involved, but since some of you on the list may not be aware.... In most cases, PHP security can be controlled by the developer, but *not* in this case. Basically, most php security problems stem from someone not properly checking input and being sloppy when connecting to databases, etc. This case, however, is an actual problem in the PHP server code, not anything you would write. To summarize, if you have file_uploads enabled on the server, php parses "multipart/form-data" data that is sent to the script. It does this for *any* file, not just the ones that have file uploads in them. The bug is in that code and can be used by malicious parties to do evil things on your server. It can be used against you even if you only have one page on your server parsed by PHP and the hacker can find it. The original report is here: <http://security.e-matters.de/advisories/012002.html> Basically you have three options: 1) Disable file_uploads, if you're not using them, in the php.ini file. This works for PHP 4.0.3 or greater. 2) Apply the source patch to your source tree and rebuild. Works for PHP 3.0.18, 4.06, 4.1.0 and 4.1.1. 3) Upgrade to PHP 4.1.2 You should really do this as soon as possible. I'm sure someone will make a Code Red type of infestation soon to exploit this bug soon. Evidently, there is a crude exploit circulating. Hope that helps. Paul <?php while ($self != "asleep") { $sheep_count++; } ?> -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
