|
-
Ursus Arctos Moderatis
 PHP - Linux/Solaris Servers: at risk
Click here to read a recent security alert concerning PHP on Linux/Solaris servers. Surprisingly enough, IIS Servers are *not* vulnerable to this security flaw. (I know, it shocked me too!)
-
Hammerhead Shark
What about the version I am running on all my boxen -- 4.1.0?
-
Ursus Arctos Moderatis
I'm afriad your box(es) are at risk e_dawg. All versions earlier than the developer version of PHP 4.2.0-beta (found on SourceForge's CVS) are vulnerable.
The article says:
Users running the developer version of php (4.2.0-dev) are not vulnerable to these bugs because the fileupload support was completly rewritten for that branch.
Though there is a quick work-around for versions later than 4.0.3:
Recommendation
If you are running PHP 4.0.3 or above one way to workaround these bugs is to disable the fileupload support within your php.ini (file_uploads = Off) If you are running php as module keep in mind to restart the webserver. Anyway you should better install the fixed or a properly patched version to be safe.
-
Hammerhead Shark
I didn't use the internal stuff -- I had to grab data from the header of the file and transfer the file straight into the database (nothing on the disk), so, filetransfer is off on all my boxen anyway... 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
