subject:"\[PHP\-DEV\] Re\: FW\: \[PHP\-QA\] New Windows Binaries"

[PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

2002-03-01 Thread Rui Hirokawa



Is this patch for Windows already applied 
to CVS's PHP 4_0_7 branch ?

Rui

> Shane and I worked last night to build Windows versions of 4.1.2, and also
> fix a further vulnerability which exists when you call the cgi directly, for
> example in cgi with apache, it was possible to call
> http://example.com/php/php.exe?c:\winnt\repair\sam to get the equivalent of
> the /etc/passwd file.
> 
> We have patched it so it is no longer possible to call it directly, so this
> vulenerability is at least worked around.
> 
> Due to the fact that some webservers fix this by default anyway, we have 2
> new ini options. (see them in the php.ini in the source).
> 
> The particular one you'll need to set is cgi.force-redirect (0|1) so that
> for servers that are not exploitable (eg, IIS) you override the setting.
> 
> I hope that made sense, check out the attached binaries... let us know if
> there are any problems. if not, i'll put them up on the website with
> detauiled (Thought out) install instructions for all those windows users,
> and add comments to the docs.
> 
> Thanks,
> 
> James


-- 
-
Rui Hirokawa <[EMAIL PROTECTED]>
 <[EMAIL PROTECTED]>

-- 
PHP Development Mailing List 
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

2002-03-01 Thread James Cox


Rui,

No, it's against the 4_1_2 branch.

> -Original Message-
> From: Rui Hirokawa [mailto:[EMAIL PROTECTED]]
> Sent: Friday, March 01, 2002 11:32 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries
>
>
>
> Is this patch for Windows already applied
> to CVS's PHP 4_0_7 branch ?
>
> Rui
>
> > Shane and I worked last night to build Windows versions of
> 4.1.2, and also
> > fix a further vulnerability which exists when you call the cgi
> directly, for
> > example in cgi with apache, it was possible to call
> > http://example.com/php/php.exe?c:\winnt\repair\sam to get the
> equivalent of
> > the /etc/passwd file.
> >
> > We have patched it so it is no longer possible to call it
> directly, so this
> > vulenerability is at least worked around.
> >
> > Due to the fact that some webservers fix this by default
> anyway, we have 2
> > new ini options. (see them in the php.ini in the source).
> >
> > The particular one you'll need to set is cgi.force-redirect
> (0|1) so that
> > for servers that are not exploitable (eg, IIS) you override the setting.
> >
> > I hope that made sense, check out the attached binaries... let
> us know if
> > there are any problems. if not, i'll put them up on the website with
> > detauiled (Thought out) install instructions for all those
> windows users,
> > and add comments to the docs.
> >
> > Thanks,
> >
> > James
>
>
> --
> -
> Rui Hirokawa <[EMAIL PROTECTED]>
>  <[EMAIL PROTECTED]>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

2002-03-01 Thread Rasmus Lerdorf


There is no 4_1_2 branch.  There is a PHP_4_1_2 tag.  The 4.1.x branch is
called 4_0_7 currently.  Yeah, I know it sucks.

-Rasmus

On Sat, 2 Mar 2002, James Cox wrote:

> Rui,
>
> No, it's against the 4_1_2 branch.
>
> > -Original Message-
> > From: Rui Hirokawa [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, March 01, 2002 11:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries
> >
> >
> >
> > Is this patch for Windows already applied
> > to CVS's PHP 4_0_7 branch ?
> >
> > Rui
> >
> > > Shane and I worked last night to build Windows versions of
> > 4.1.2, and also
> > > fix a further vulnerability which exists when you call the cgi
> > directly, for
> > > example in cgi with apache, it was possible to call
> > > http://example.com/php/php.exe?c:\winnt\repair\sam to get the
> > equivalent of
> > > the /etc/passwd file.
> > >
> > > We have patched it so it is no longer possible to call it
> > directly, so this
> > > vulenerability is at least worked around.
> > >
> > > Due to the fact that some webservers fix this by default
> > anyway, we have 2
> > > new ini options. (see them in the php.ini in the source).
> > >
> > > The particular one you'll need to set is cgi.force-redirect
> > (0|1) so that
> > > for servers that are not exploitable (eg, IIS) you override the setting.
> > >
> > > I hope that made sense, check out the attached binaries... let
> > us know if
> > > there are any problems. if not, i'll put them up on the website with
> > > detauiled (Thought out) install instructions for all those
> > windows users,
> > > and add comments to the docs.
> > >
> > > Thanks,
> > >
> > > James
> >
> >
> > --
> > -
> > Rui Hirokawa <[EMAIL PROTECTED]>
> >  <[EMAIL PROTECTED]>
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

2002-03-02 Thread James Cox


oh...

we probably need to fix that..

James

> -Original Message-
> From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, March 02, 2002 8:10 AM
> To: James Cox
> Cc: Rui Hirokawa; [EMAIL PROTECTED]
> Subject: RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries
>
>
> There is no 4_1_2 branch.  There is a PHP_4_1_2 tag.  The 4.1.x branch is
> called 4_0_7 currently.  Yeah, I know it sucks.
>
> -Rasmus
>
> On Sat, 2 Mar 2002, James Cox wrote:
>
> > Rui,
> >
> > No, it's against the 4_1_2 branch.
> >
> > > -Original Message-
> > > From: Rui Hirokawa [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, March 01, 2002 11:32 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries
> > >
> > >
> > >
> > > Is this patch for Windows already applied
> > > to CVS's PHP 4_0_7 branch ?
> > >
> > > Rui
> > >
> > > > Shane and I worked last night to build Windows versions of
> > > 4.1.2, and also
> > > > fix a further vulnerability which exists when you call the cgi
> > > directly, for
> > > > example in cgi with apache, it was possible to call
> > > > http://example.com/php/php.exe?c:\winnt\repair\sam to get the
> > > equivalent of
> > > > the /etc/passwd file.
> > > >
> > > > We have patched it so it is no longer possible to call it
> > > directly, so this
> > > > vulenerability is at least worked around.
> > > >
> > > > Due to the fact that some webservers fix this by default
> > > anyway, we have 2
> > > > new ini options. (see them in the php.ini in the source).
> > > >
> > > > The particular one you'll need to set is cgi.force-redirect
> > > (0|1) so that
> > > > for servers that are not exploitable (eg, IIS) you override
> the setting.
> > > >
> > > > I hope that made sense, check out the attached binaries... let
> > > us know if
> > > > there are any problems. if not, i'll put them up on the website with
> > > > detauiled (Thought out) install instructions for all those
> > > windows users,
> > > > and add comments to the docs.
> > > >
> > > > Thanks,
> > > >
> > > > James
> > >
> > >
> > > --
> > > -
> > > Rui Hirokawa <[EMAIL PROTECTED]>
> > >  <[EMAIL PROTECTED]>
> > >
> > > --
> > > PHP Development Mailing List <http://www.php.net/>
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> >
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

2002-03-02 Thread Rasmus Lerdorf


Quoting James Cox <[EMAIL PROTECTED]>:

> oh...
> 
> we probably need to fix that..
> 

The name of the branch doesn't matter much and it isn't all that easy to fix.


-- 
PHP Development Mailing List 
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

2002-03-02 Thread derick


On Sat, 2 Mar 2002, James Cox wrote:

> oh...
>
> we probably need to fix that..

That is quite impossible, and I don;t see a reason why it should be
changed actually.

Derick

>
> James
>
> > -Original Message-
> > From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, March 02, 2002 8:10 AM
> > To: James Cox
> > Cc: Rui Hirokawa; [EMAIL PROTECTED]
> > Subject: RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries
> >
> >
> > There is no 4_1_2 branch.  There is a PHP_4_1_2 tag.  The 4.1.x branch is
> > called 4_0_7 currently.  Yeah, I know it sucks.
> >
> > -Rasmus
> >
> > On Sat, 2 Mar 2002, James Cox wrote:
> >
> > > Rui,
> > >
> > > No, it's against the 4_1_2 branch.
> > >
> > > > -Original Message-----
> > > > From: Rui Hirokawa [mailto:[EMAIL PROTECTED]]
> > > > Sent: Friday, March 01, 2002 11:32 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries
> > > >
> > > >
> > > >
> > > > Is this patch for Windows already applied
> > > > to CVS's PHP 4_0_7 branch ?
> > > >
> > > > Rui
> > > >
> > > > > Shane and I worked last night to build Windows versions of
> > > > 4.1.2, and also
> > > > > fix a further vulnerability which exists when you call the cgi
> > > > directly, for
> > > > > example in cgi with apache, it was possible to call
> > > > > http://example.com/php/php.exe?c:\winnt\repair\sam to get the
> > > > equivalent of
> > > > > the /etc/passwd file.
> > > > >
> > > > > We have patched it so it is no longer possible to call it
> > > > directly, so this
> > > > > vulenerability is at least worked around.
> > > > >
> > > > > Due to the fact that some webservers fix this by default
> > > > anyway, we have 2
> > > > > new ini options. (see them in the php.ini in the source).
> > > > >
> > > > > The particular one you'll need to set is cgi.force-redirect
> > > > (0|1) so that
> > > > > for servers that are not exploitable (eg, IIS) you override
> > the setting.
> > > > >
> > > > > I hope that made sense, check out the attached binaries... let
> > > > us know if
> > > > > there are any problems. if not, i'll put them up on the website with
> > > > > detauiled (Thought out) install instructions for all those
> > > > windows users,
> > > > > and add comments to the docs.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > James
> > > >
> > > >
> > > > --
> > > > -
> > > > Rui Hirokawa <[EMAIL PROTECTED]>
> > > >  <[EMAIL PROTECTED]>
> > > >
> > > > --
> > > > PHP Development Mailing List <http://www.php.net/>
> > > > To unsubscribe, visit: http://www.php.net/unsub.php
> > > >
> > > >
> > >
> > >
> > > --
> > > PHP Development Mailing List <http://www.php.net/>
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> >
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

2002-03-02 Thread derick


On Sat, 2 Mar 2002, James Cox wrote:

> Rui,
>
> No, it's against the 4_1_2 branch.

There is no 4_1_2 branch, Rui was right, it has been applied to the
PHP_4_0_7 branch.

Derick

>
> > -Original Message-
> > From: Rui Hirokawa [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, March 01, 2002 11:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries
> >
> >
> >
> > Is this patch for Windows already applied
> > to CVS's PHP 4_0_7 branch ?
> >
> > Rui
> >
> > > Shane and I worked last night to build Windows versions of
> > 4.1.2, and also
> > > fix a further vulnerability which exists when you call the cgi
> > directly, for
> > > example in cgi with apache, it was possible to call
> > > http://example.com/php/php.exe?c:\winnt\repair\sam to get the
> > equivalent of
> > > the /etc/passwd file.
> > >
> > > We have patched it so it is no longer possible to call it
> > directly, so this
> > > vulenerability is at least worked around.
> > >
> > > Due to the fact that some webservers fix this by default
> > anyway, we have 2
> > > new ini options. (see them in the php.ini in the source).
> > >
> > > The particular one you'll need to set is cgi.force-redirect
> > (0|1) so that
> > > for servers that are not exploitable (eg, IIS) you override the setting.
> > >
> > > I hope that made sense, check out the attached binaries... let
> > us know if
> > > there are any problems. if not, i'll put them up on the website with
> > > detauiled (Thought out) install instructions for all those
> > windows users,
> > > and add comments to the docs.
> > >
> > > Thanks,
> > >
> > > James
> >
> >
> > --
> > -
> > Rui Hirokawa <[EMAIL PROTECTED]>
> >  <[EMAIL PROTECTED]>
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
>



-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

RE: [PHP-DEV] Re: FW: [PHP-QA] New Windows Binaries

7 matches

Site Navigation

Mail list logo

Footer information