It's a new problem - www.php.net has a fix available though. Nick Wilson (E-mail) wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >Hi everyone, a potential client just sent me this. Is it an old problem? >or a new one? > >- ----------begin forwarded worrier----------- > >Hi Nick > >Did you mention that you use PHP? > >I subscribe to a photo gallery site and they stopped uploads due to the >following problem. > >"Feb 27, 2002, 10:11 PM] Emergency Security Update > Within the last 24 hours, details of a vulnerability in PHP which >can be exploited remotely have been made public. The vulnerability allows >any attacker to send a malformed POST request to a PHP-enabled Web server in >a manner that will allow remote access as the user running the Web server >processes. In the general case on our servers, this means the "nobody" user. > > Although the "nobody" user has limited privileges, any such access >is a potential launching point for other nefarious activities. Moreover, >some customers may be using a PHP with cgiwrap, meaning that their actual >account is vulnerable because of this weakness. > We are working to deploy and test a new build of Apache that will >include PHP 4.1.2, the version created specifically to address this >vulnerability. However, this requires careful testing and can not be >deployed immediately. In the interim, therefore, we have disabled the file >upload feature of PHP on our servers. This is the quick workaround >recommended by PHP developers and the CERT advisory. We are also contacting >all customers who are using custom PHP builds, and recommending that they >take similar steps until such time as they can deploy PHP 4.1.2. > We understand that this change interferes with functionality for >some customer sites. We will have the new Apache+PHP build in place as soon >as possible, and will post a further notice at that time. We ask that our >customers respect our insistence on treating security vulnerabilities as >problems no less critical than system outages. > For more information, please visit: > <http://www.cert.org/advisories/CA-2002-05.html> > <http://security.e-matters.de/advisories/012002.html> > >regards > > >Steve Pickering > >SimCorp Financial Training A/S >Indiakaj 1, 2100 Copenhagen O >Denmark >Phone: +45 35 44 68 00, Direct: +45 35 44 68 17, Mobile: +45 40 86 41 13, >Fax: +45 35 44 68 11 >mailto:[EMAIL PROTECTED] Homepage: http://www.simcorp.com > > > >This message, and any associated files, is intended only for the use of the >individual or entity to which it is addressed and may contain information >that is confidential, privileged, subject to copyright or which constitutes >a trade secret. If you are not the intended recipient you are hereby >notified that any dissemination, copying, or distribution of this message or >files associated with this message is strictly prohibited. If you have >received this message in error, please notify us immediately or forward this >message immediately to [EMAIL PROTECTED] Thank You > >- ----- End forwarded message ----- > >- -- >- ----------------------------------------------------------- > www.explodingnet.com | Projects, Forums and > + Articles for website owners >- -- Nick Wilson -- | and designers. > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.6 (GNU/Linux) > >iD8DBQE8fgF7HpvrrTa6L5oRAlz3AJ9O0FG+5JQrkSFfRYrD+NuKnUnkUQCdFkSM >ZpnF/f9HI/AtHeZAV7hPsPk= >=3HmD >-----END PGP SIGNATURE----- > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
