[PHP] Re: [ANNOUNCE] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and4.2.1
Very cute! Upgrade Now! It will work well with PHP newbies. Not! Richard Lynch [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Not being an expert in php..i couldnt understand the vulnerability. Can someone shed some light here. Very short explanation: Upgrade. Now! Longer one: If your web-site has *ANY* FORM tags on it, and you have PHP ready-and-waiting to process those FORMs, then somebody could manage to create a really icky FORM page and POST to your site and break in. Actually, even if you do *NOT* have the FORM tags, but you're allowing them in httpd.conf, and PHP is there, they could break in. Presumably the precise details of what you'd have to slam into the FORM to break in are simply too complex to fit into an Announcement of this nature. I imagine the Details could be dug out of Bugtrak and/or wherever the bug was first announced/discussed. Presumably PHP-Dev and e-matters would be good places to start digging for gory details. If Upgrading is impossible, *AND* you don't use FORMs with PHP in the first place (highly unlikely) than you could just turn off POST (forms) in your httpd.conf and nobody will be allowed to POST (send a form) anything to your web-site, and then PHP won't ever see the data, since Apache stopped them, and the bug wouldn't kick in. Upgrade. Now! -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [ANNOUNCE] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and4.2.1
On Wednesday 24 July 2002 01:01, Scott Fletcher wrote: Very cute! Upgrade Now! It will work well with PHP newbies. Not! If 'PHP newbies' aren't able to perform the upgrade themselves, they should ask someone who can. If it was the 'PHP newbies' who originally did the php installation then the upgrade is just a matter of repeating the same steps as the original installation. There's nothing difficult about. -- Jason Wong - Gremlins Associates - www.gremlins.com.hk Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Hash table has woodworm */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [ANNOUNCE] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and4.2.1
Very cute! Upgrade Now! It will work well with PHP newbies. Not! If you are on Windoze, just download and run the installer or whatever you did last time that actually worked, as much as anything on Windoze works. If on Un*x: Download 4.2.2 from http://php.net and save it in /usr/src or where-ever you find convenient. cd to the directory where php-4.2.2.tar.gz lives. Untar it: tar -xzf php-4.2.2.tar.gz Copy the configure settings you used before: cp php-4.1.0/config.nice php-4.2.2 Move into the new PHP directory: cd php-4.2.2 Do the config.nice (it's what you used last time): ./config.nice Pay attention to the crap that scrolls by, if you can read that fast :-) Or, instead of just ./config.nice, use: ./config.nice 21 config.output Then you can use: tail -f config.output to see what's happening as it goes (type control-C to quit tail), or less config.output after you come back from your coffee-break. Compile PHP: make (Maybe time for another coffee-break.) Install PHP: make install Stop Apache: *** /usr/local/apache/bin/apachectl stop Start Apache: /usr/local/apache/bin/apachectl start Confirm the new PHP is working by surfing to a file with: ?php phpinfo();? in it. Remove that file phpinfo() file. Even for a newbie, this should probably take, like, a half hour? if everything goes well. Assuming a decently-powered box. If you're installing on a Pentium1 laptop or something, those coffee-breaks could turn into lunch and dinner breaks or something. *** There may be a better/different way to stop/start Apache on your server. Just make 100% sure you stopped it and started it again. -- Like Music? http://l-i-e.com/artists.htm I'm looking for a PRO QUALITY two-input sound card supported by Linux (any major distro). Need to record live events (mixed already) to stereo CD-quality. Soundcard Recommendations? Software to handle the recording? Don't need fancy mixer stuff. Zero (0) post-production time. Just raw PCM/WAV/AIFF 16+ bit, 44.1KHz, Stereo audio-to-disk. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: [ANNOUNCE] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and4.2.1
Not being an expert in php..i couldnt understand the vulnerability. Can someone shed some light here. Very short explanation: Upgrade. Now! Longer one: If your web-site has *ANY* FORM tags on it, and you have PHP ready-and-waiting to process those FORMs, then somebody could manage to create a really icky FORM page and POST to your site and break in. Actually, even if you do *NOT* have the FORM tags, but you're allowing them in httpd.conf, and PHP is there, they could break in. Presumably the precise details of what you'd have to slam into the FORM to break in are simply too complex to fit into an Announcement of this nature. I imagine the Details could be dug out of Bugtrak and/or wherever the bug was first announced/discussed. Presumably PHP-Dev and e-matters would be good places to start digging for gory details. If Upgrading is impossible, *AND* you don't use FORMs with PHP in the first place (highly unlikely) than you could just turn off POST (forms) in your httpd.conf and nobody will be allowed to POST (send a form) anything to your web-site, and then PHP won't ever see the data, since Apache stopped them, and the bug wouldn't kick in. Upgrade. Now! -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
