Click here to read a recent security alert concerning PHP on Linux/Solaris servers. Surprisingly enough, IIS Servers are *not* vulnerable to this security flaw. (I know, it shocked me too!)
Printable View
Click here to read a recent security alert concerning PHP on Linux/Solaris servers. Surprisingly enough, IIS Servers are *not* vulnerable to this security flaw. (I know, it shocked me too!)
What about the version I am running on all my boxen -- 4.1.0?
I'm afriad your box(es) are at risk e_dawg. All versions earlier than the developer version of PHP 4.2.0-beta (found on SourceForge's CVS) are vulnerable.
The article says:
Though there is a quick work-around for versions later than 4.0.3:Quote:
Users running the developer version of php (4.2.0-dev) are not vulnerable to these bugs because the fileupload support was completly rewritten for that branch.
Quote:
Recommendation
If you are running PHP 4.0.3 or above one way to workaround these bugs is to disable the fileupload support within your php.ini (file_uploads = Off) If you are running php as module keep in mind to restart the webserver. Anyway you should better install the fixed or a properly patched version to be safe.
I didn't use the internal stuff -- I had to grab data from the header of the file and transfer the file straight into the database (nothing on the disk), so, filetransfer is off on all my boxen anyway... :)