Topic: PHP Security Hole?

[LC]

Hi All,

I stumbled upon this warning that came out today from PHP.net.  Looks like there's a hole in the PHP upload system.

See report here: http://security.e-matters.de/advisories/012002.html.

They suggest upgrading PHP or disabling HTTP uploads.

Does this affect E-smith users running PHP?  (I suspect it does, so I've disabled the HTTP uploads in /etc/php.ini... but I'm not an expert...)


LC

[Dan Brown]

Looks like it's off to build RPMs of PHP 4.1.2...

[DJ_Ramjet99]

Go Dan !!!

[Johan]

Will there be a blade to fix this one?

[Rich Lafferty]

There's no fix yet; as soon as the PHP folks released their patch, it was
pointed out that their patch introduced further bugs. I don't know if Dan's
RPMs just include that problem fix, or if he's done additional work.

Please see our advisory at

   http://www.e-smith.org/article.php3

for the official Mitel Networks position on the vulnerability

Cheers,

--Rich

[Patrick Hickey]

Dan will cover this and we can thank him for being around for us. It's obviously a constant danger running freeware but most of these potential issues are somewhat off the beaten track and not terribly well known.

patrick

[Dan Brown]

All my RPMs do is build 4.1.2 as I downloaded from php.net last night; I don't know anywhere near enough to go fixing things like this on my own.  Maybe I should pull those RPMs, then...

[Dan Brown]

Patrick, thanks for the kind words, but at this time I have no suggestion.  I've been told by apparently-reliable sources that 4.1.2 does NOT fix the problem, so I've pulled it from my site.  As soon as I hear of a real bugfix, I'll get it up ASAP.

[Patrick Hickey]

Dan - how can anyone complain about free software and free enhancements from a developer???

I had no issue disabling the insucure component and can wait for as long as it takes you or some other generous soul to post a patch.

Might I ask one little, teeny thing in advance?

When you do gets your hands onto the right code, keep the posted "back it out" code in mind as you compile (?) your patch.

In other words, for fools like me who know just enough to make a mess, I have executed the security "fix" posted on the main page and thus need to re-enable that when a patch is put forth.

Thanks again.

regards,

patrick

[Dan Brown]

Patrick Hickey wrote:

> Dan - how can anyone complain about free software and free
> enhancements from a developer???

    You'd be amazed...  (-:

> When you do gets your hands onto the right code, keep the
> posted "back it out" code in mind as you compile (?) your

    I'll try to do that.

[Brad]

I am currently developing a PHP app on 4.1.2. What I am developing needs file uploads to work. At the moment, while the server is connected to the outside, it only servers the default homepage to the outside. All ibays have either web access turned off or set to local only.

Am I till at risk from these holes? Or do I only need worry if I allow public web acces to the ibays??

Thanks,
Brad