Results 1 to 14 of 14
  1. #1

    PHP v4.2.2 Released due to vulnerability

    Incase anyone hasn't heard already, there's a security hole in v4.2.0 and v4.2.1, so v4.2.2 was released today.

    Details on the flaw and the new release can be found at the php.net site.

    Upgrading immediately is of course, the safest action.
    Pure Energy Systems
    www.purenrg.com

  2. #2
    Join Date
    Mar 2001
    Location
    California
    Posts
    332

    Thumbs up

    Thanks for the heads up.

  3. #3
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,962
    buildapche.sea is already updated if anyone is running cpanel..

    Updates without a problem...
    -Mat Sumpter
    Director, Product Engagement
    Penton Media

  4. #4
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    The vulnerability is exploitable by anyone who can send HTTP POST requests to an affected web server. Both local and remote users, even from behind firewalls, may be able to gain privileged access.
    Now that is a big flaw. Probably most every version of PHP out there.

    Edit, clearly I missed this on the link:
    http://www.php.net/release_4_2_2.php

    Issued on: July 22, 2002
    Software: PHP versions 4.2.0 and 4.2.1
    Platforms: All

    *seems* clear enough.
    Last edited by mwatkins; 07-22-2002 at 08:59 PM.

  5. #5
    Join Date
    Mar 2001
    Posts
    1,434
    Anyone know if php 4.1.2 is also vulnerable, or is this php 4.2.x specific?

    John C.

  6. #6
    Join Date
    Nov 2001
    Location
    Canada
    Posts
    1,963
    yay
    time to upgrade all 50 thousand servers


    not literally
    but i do have a lot of upgrading to do


    anyhow john, im sure it does.

  7. #7
    Join Date
    Mar 2001
    Posts
    1,434
    Can anyone confirm the vulnerability does exist in 4.1.2? I ask because the Internet News article stated:

    He said, in his report to PHP.net., the new versions of 4.2 (which featured a revamped multipart/form-data POST handler) allow some incoming traffic to inadvertently get added to the list of allowed MIME headers -- a process that gives hackers a way through the back door.
    Just trying to find out for sure, because umpteen server upgrades to a new 4.2.2 version is:
    1. Not fun
    2. A big shock to users whose scripts may not work in 4.2.x
    3. Not how I want to spend my Monday evening, and probably early Tuesday morning

    John C.

  8. #8
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,095
    I have seen no mention on any advisories of any version other than (explicitly) 4.2.0 and 4.2.1.
    Alex Llera
    Professional Server Management
    FreeBSD|Linux|HSphere|Cpanel|Plesk

  9. #9
    Join Date
    Dec 2001
    Location
    New Jersey
    Posts
    1,152
    the bug does not happen in version 4.1.2 . I happened to be lucky that I was just considering the move. well I let that dog lie for another 2 months or so. ( where 1 is found, 3 more are lurking ) -Mike
    I am Mike From ADEHOST.Com, Multidomain Windows hosting with Cold Fusion and ASP and Dot.NET Also offering multi-domain Unix hosting. silently, each one should ask, Have I done my daily task. Have I kept my honor bright, can I sleep without guilt tonight. Have I done and have I did, everything, to be prepared. - our motto to maintain services.

  10. #10
    Join Date
    Mar 2001
    Location
    Ireland
    Posts
    1,354
    I see that there's a patch available for PHP 4.2.1 to 4.2.2
    How do you apply the patch?
    Blacknight
    ICANN accredited domain registrar

  11. #11
    Join Date
    Dec 2000
    Location
    Indianapolis, IN
    Posts
    1,748
    Do they have an update for windows yet.. I don't see a new install or update for windows any where. They use to have an exe install or some thing like that. Any ideas?

  12. #12
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,095
    You mean this thing?

    http://us3.php.net/distributions/php-4.2.2-Win32.zip

    It's right under the unix source files here:

    http://www.php.net/downloads.php

  13. #13
    Join Date
    Dec 2000
    Location
    Indianapolis, IN
    Posts
    1,748
    The problem with that version for windows is this..

    The Windows PHP installer is available from the downloads page at
    www.php.net. This installs the CGI version of PHP and, for IIS, PWS,
    and Xitami, configures the web server as well.
    Note that this version does *NOT* install any extensions or server
    api versions of PHP.

    Where is the one with the installer.. Seems to be missing.. I am not sure if they are the same thing.. This one looks to be hard to install as well..

  14. #14
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    Hmm,

    I never used the installer version myself.

    It is harder to install the zip version, but it isn't that hard.

    My guess is if you have the installer version already installed, all you have to do is to replace php4ts.dll and isapi.dll by the ones in the zip package and restart IIS, and everything will be OK.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •