Incase anyone hasn't heard already, there's a security hole in v4.2.0 and v4.2.1, so v4.2.2 was released today.

Details on the flaw and the new release can be found at the php.net site (http://www.php.net/release_4_2_2.php).

Upgrading immediately is of course, the safest action. ;)

Thanks for the heads up.

buildapche.sea is already updated if anyone is running cpanel..

Updates without a problem...

The vulnerability is exploitable by anyone who can send HTTP POST requests to an affected web server. Both local and remote users, even from behind firewalls, may be able to gain privileged access.

Now that is a big flaw. Probably most every version of PHP out there.

Edit, clearly I missed this on the link:
http://www.php.net/release_4_2_2.php

Issued on: July 22, 2002
Software: PHP versions 4.2.0 and 4.2.1
Platforms: All

*seems* clear enough.

Anyone know if php 4.1.2 is also vulnerable, or is this php 4.2.x specific?

John C.

yay
time to upgrade all 50 thousand servers
:(

not literally
but i do have a lot of upgrading to do
:(

anyhow john, im sure it does.

Can anyone confirm the vulnerability does exist in 4.1.2? I ask because the Internet News (http://www.internetnews.com/dev-news/article.php/1430541) article stated:

He said, in his report to PHP.net., the new versions of 4.2 (which featured a revamped multipart/form-data POST handler) allow some incoming traffic to inadvertently get added to the list of allowed MIME headers -- a process that gives hackers a way through the back door.


Just trying to find out for sure, because umpteen server upgrades to a new 4.2.2 version is:
1. Not fun
2. A big shock to users whose scripts may not work in 4.2.x
3. Not how I want to spend my Monday evening, and probably early Tuesday morning :)

John C.

I have seen no mention on any advisories of any version other than (explicitly) 4.2.0 and 4.2.1.

the bug does not happen in version 4.1.2 . I happened to be lucky that I was just considering the move. well I let that dog lie for another 2 months or so. ( where 1 is found, 3 more are lurking ) -Mike

I see that there's a patch available for PHP 4.2.1 to 4.2.2
How do you apply the patch?

Do they have an update for windows yet.. I don't see a new install or update for windows any where. They use to have an exe install or some thing like that. Any ideas?

You mean this thing?

http://us3.php.net/distributions/php-4.2.2-Win32.zip

It's right under the unix source files here:

http://www.php.net/downloads.php

The problem with that version for windows is this..

The Windows PHP installer is available from the downloads page at
www.php.net. This installs the CGI version of PHP and, for IIS, PWS,
and Xitami, configures the web server as well.
Note that this version does *NOT* install any extensions or server
api versions of PHP.

Where is the one with the installer.. :( Seems to be missing.. I am not sure if they are the same thing.. This one looks to be hard to install as well.. :(

Hmm,

I never used the installer version myself.

It is harder to install the zip version, but it isn't that hard.

My guess is if you have the installer version already installed, all you have to do is to replace php4ts.dll and isapi.dll by the ones in the zip package and restart IIS, and everything will be OK.