Yes. Please post something to php.announce! Nothing ever gets announced in there anymore.
"Steve Meyers" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can you post this to php.announce as well? > > Marko Karppinen wrote: > > > > > PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 > > > > > > Issued on: July 22, 2002 > > Software: PHP versions 4.2.0 and 4.2.1 > > Platforms: All > > > > > > The PHP Group has learned of a serious security vulnerability in PHP > > versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary > > code with the privileges of the web server. This vulnerability may be > > exploited to compromise the web server and, under certain conditions, > > to gain privileged access. > > > > > > Description > > > > PHP contains code for intelligently parsing the headers of HTTP POST > > requests. The code is used to differentiate between variables and files > > sent by the user agent in a "multipart/form-data" request. This parser > > has insufficient input checking, leading to the vulnerability. > > > > The vulnerability is exploitable by anyone who can send HTTP POST > > requests to an affected web server. Both local and remote users, even > > from behind firewalls, may be able to gain privileged access. > > > > > > Impact > > > > Both local and remote users may exploit this vulnerability to > > compromise the web server and, under certain conditions, to gain > > privileged access. So far only the IA32 platform has been verified to > > be safe from the execution of arbitrary code. The vulnerability can > > still be used on IA32 to crash PHP and, in most cases, the web server. > > > > > > Solution > > > > The PHP Group has released a new PHP version, 4.2.2, which incorporates > > a fix for the vulnerability. All users of affected PHP versions are > > encouraged to upgrade to this latest version. The downloads web site at > > > > http://www.php.net/downloads.php > > > > has the new 4.2.2 source tarballs, Windows binaries and source patches > > from 4.2.0 and 4.2.1 available for download. > > > > > > Workaround > > > > If the PHP applications on an affected web server do not rely on HTTP > > POST input from user agents, it is often possible to deny POST requests > > on the web server. > > > > In the Apache web server, for example, this is possible with the > > following code included in the main configuration file or a top-level > > .htaccess file: > > > > <Limit POST> > > Order deny,allow > > Deny from all > > </Limit> > > > > Note that an existing configuration and/or .htaccess file may have > > parameters contradicting the example given above. > > > > > > Credits > > > > The PHP Group would like to thank Stefan Esser of e-matters GmbH for > > discovering this vulnerability. > > > > > > Copyright (c) 2002 The PHP Group. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
