Hey folks, here is the delima.

My host has several servers, some of them are running php4.1.1 others are running 4.0.6.
Are either of these actually worthy of tight security with normal settings in place? i.e... file uploads set to enabled

Reading over some of the post on thier forum, apparently both of the above are open to security breaches from some command line hackers... which can, HAVE, and I am sure will continue to have full (self granted) access priveleges to the entire server.

When I asked support of when they expect to upgrade 'my server' I was giving a response that was not very well recieved, In fact it pissed me off!
The response is as follows:
Our ticket system has taken priority to software upgrades. We will be preparing for software upgrades again once we get our ticket queue back under control.

It is in our plans, but I can't give you a schedule just yet.

While the above response may seem reasonable to some minute extent, it does not make me very comfortable.


Any thoughts of what to do and how to react would be appreciated.

Thanks,
snoooky~

Actually, there is a security hole found on all php before version 4.1.2. The safest bet is to upgrade to php 4.1.2.

They aren't necessarily vulnerable, as there were patches for those versions.

There are a lot of web hosting businesses whose subsystems are so outdated, that they can't compete with those that are more current. I think it's caused by lack of a competent development team and system administrators.

4.1.2 here. :)

But as has been said, there are patches for older versions, so it doesn't have to be unsecure. In fact, Ensim I believe only released a patch for the 4.0.6 version... Instead of an upgrade to 4.1.2.

Thanks for the comments you three!

If I was a cat, I would be running out of time. As curiosity killed that sucker... hehe

One more thing, Lets say you ARE running 4.0.6 and you elect to upgrade to 4.1.2.
How long of a process, is the above upgrade?
Are we talking days, hours, or a matter of minutes? (my guess would be under an hour, depending on the techs skills) of course this would have to be followed by that daunting task of "restarting the server" gesshhhhh ;)

To see my host in action with those recent upgrades to 4.1.1... it sure did seem painful for them

Thanks,

snoooky~

It would take a matter of minutes, at least from my experiences.

Yeah... thought so!


To the Moderators:
My bad for posting in the wrong forum section... Thank you for placing in the appropiate place.

snoooky

In addition to Zutroy's, it is as easy as upgrading to php 4.1.1. Basically, your host needs to download php 4.1.2, and then use whatever command that he/she used to upgrade from php 4.0.6 to 4.1.1. Very easy :)

Originally posted by snoooky
...To see my host in action with those recent upgrades to 4.1.1... it sure did seem painful for them...

For your host, it IS going to be a little painful.

Here's how it should be done:

Even with an emergency update like a security vulnerability, it should be installed on a development machine first. If it breaks nothing, then it should be immediately deployed to the production machines without further testing. If it does break something, then you should disable the service that has a vulnerability while you work that problem out on the development server. With this method, security patches are installed within a couple of hours of release, or the service/subsystem is disabled until it can be patched.

It should then be thoroughly tested.

If it's not an emergency, then it should be installed and thorougly tested for at least a week on a development machine before it is deployed on the production machines.

IMHO.

Originally posted by snoooky
Is php 4.0.6 really unsecure???Umm, I don't think so. I think it's just a neurosis.

Abu,

Get real

:rolleyes:

Originally posted by snoooky
Get realTried real. prefer virtual. :-))

In my experience, upgrading to 4.1.2 breaks some scripts :(, namely scripts that uses crypt() function. So I'd settle with patched 4.0.6 for the time being.

Originally posted by priyadi
In my experience, upgrading to 4.1.2 breaks some scripts :(, namely scripts that uses crypt() function. So I'd settle with patched 4.0.6 for the time being. Hmm, this is not good. I'm contemplating an upgrade from 4.04 to 4.12 (see the thread I started "upgrading php"), and this is exactly one of the things that concerns me. What else gets broken?

I'm still trying to figure out how to compile the sucker. I can't seem to figure out what I need in the configuration file.

Originally posted by Abu Mami
Hmm, this is not good. I'm contemplating an upgrade from 4.04 to 4.12 (see the thread I started "upgrading php"), and this is exactly one of the things that concerns me. What else gets broken?

I'm still trying to figure out how to compile the sucker. I can't seem to figure out what I need in the configuration file.

I haven't seen anything else get broken, but I think I'll let the others find out :).

About configuration file, I believe you can use the old php.ini from your previous php installation without problem.

Originally posted by priyadi
About configuration file, I believe you can use the old php.ini from your previous php installation without problem. I wasn't referring to the php.ini file. What I meant was the config file for the compile of PHP. As I understand it, the config file contains the desired compile parameters.

We haven't noticed any problems after upgrading to 4.1.2. I didn't test the crypt function specifically, but no one has complained.

Abu, you might want to start a new thread about your config.

We aint seen any problems either after the upgrade

< QUOTE

Our ticket system has taken priority to software upgrades. We will be preparing for software upgrades again once we get our ticket queue back under control.

It is in our plans, but I can't give you a schedule just yet.

QUOTE >

I like that, lol, hmmmmmmm it takes like 3-4 mins to upgrade to php 4.1.2 from source, hmmmmmmmm

LOL anyway just to let you know php 4.1.2 seems fine on our boxes.

Originally posted by terrastudios
I like that, lol, hmmmmmmm it takes like 3-4 mins to upgrade to php 4.1.2 from sourceTerra, sorry, but I gotta disagree with this assessment. Maybe it only takes YOU 3-4 mins to upgrade, but that's because you know what you're doing. As you can see from this thread and another one in a similar vein, I'm also attempting the upgrade, and it's taken me several days of research so far. I've read the threads here, I've consulted with the php.net and redhat sites, looked in a couple of other forums, and have also searched far and wide on the web for more material on this. I just continue to get more confused.

I can't determine what configure parameters I need, if I need imap, if my scripts will still work, and so on. It may only take you 3-4 minutes, but I've peed my pants 3-4 times so far :-) - and I haven't even tried the upgrade yet. I'm afraid I'll break my server.

Don't get me wrong, I'm not a wet behind the ears newbie, but I'm no big Linux expert either. I realize that I know enough to get into trouble, and I don't know enough to get the stupid upgrade done.

:confused: *sigh*

The time upgrading depends on what you currently have, want to keep and want to add in the new PHP configuration, if at all. It also depends on if PHP is compiled as a core module or not. However, either way, it is pretty easy and the original subject was in regards to this person's web host -- and they should know enough to do it quickly.

Basically, just load up a page with <?phpinfo();?> and see what's there. If you don't have or aren't able to use local system files or source to simply include (or re-include) the modules PHP currently uses, you can download them to possible build them, if needed (or if the source is needed), possibly compile them if needed, then execute PHP's configuration options with basically what you have in your current configuration (give or take, you also have a chance to upgrade things like imap, etc. too, which is cool), and compile it to build with or into Apache (and maybe compile Apache too -- but if it's a core module (PHP, that is), and you need to recompile Apache too, you'll need not only Apache, but any module that had other than PHP, which can be any number of things), so it's best to use apxs and have it be a loadable module for quick upgrades, changes, etc., unless you have the source for everything else handy, in which case I usually compile it as a core module and take the opportunity to upgrade everything else, if there's any new and stable versions of other modules, etc. for Apache.

I upgraded a few servers, and it took about 10 to 20 minutes for 6 server upgrades. We had no complaints, other than the one about crypt(), but I believe that was an easy workaround, as the thing just defaulted to MD5, which is a better encryption anyway, and allows for longer, more complex passwords. But, none of us want to force anything on the clients, not without saying anything -- but depending on what you do, it might be a better idea to upgrade and deal with that usually minor issue anyway, rather than be a potential target.