>Not being an expert in php..i couldnt understand the vulnerability. >Can someone shed some light here.
Very short explanation: Upgrade. Now! Longer one: If your web-site has *ANY* FORM tags on it, and you have PHP ready-and-waiting to process those FORMs, then somebody could manage to create a really icky FORM page and POST to your site and break in. Actually, even if you do *NOT* have the FORM tags, but you're "allowing" them in httpd.conf, and PHP is there, they could break in. Presumably the precise details of what you'd have to slam into the FORM to break in are simply too complex to fit into an Announcement of this nature. I imagine the Details could be dug out of Bugtrak and/or wherever the bug was first announced/discussed. Presumably PHP-Dev and e-matters would be good places to start digging for gory details. If Upgrading is impossible, *AND* you don't use FORMs with PHP in the first place (highly unlikely) than you could just "turn off" POST (forms) in your httpd.conf and nobody will be allowed to POST (send a form) anything to your web-site, and then PHP won't ever see the data, since Apache stopped them, and the bug wouldn't kick in. Upgrade. Now! -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
