Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: LC on February 28, 2002, 05:47:03 AM

Title: PHP Security Hole?
Post by: LC on February 28, 2002, 05:47:03 AM

Hi All,

I stumbled upon this warning that came out today from PHP.net.  Looks like there's a hole in the PHP upload system.

See report here: http://security.e-matters.de/advisories/012002.html.

They suggest upgrading PHP or disabling HTTP uploads.

Does this affect E-smith users running PHP?  (I suspect it does, so I've disabled the HTTP uploads in /etc/php.ini... but I'm not an expert...)


LC

Title: Re: PHP Security Hole?
Post by: Dan Brown on February 28, 2002, 06:18:19 AM

Looks like it's off to build RPMs of PHP 4.1.2...

Title: Re: PHP Security Hole?
Post by: DJ_Ramjet99 on February 28, 2002, 11:49:02 PM

Go Dan !!!

Title: Re: PHP Security Hole?
Post by: Johan on March 01, 2002, 12:00:43 AM

Will there be a blade to fix this one?

Title: Re: PHP Security Hole?
Post by: Rich Lafferty on March 01, 2002, 12:11:05 AM

There's no fix yet; as soon as the PHP folks released their patch, it was
pointed out that their patch introduced further bugs. I don't know if Dan's
RPMs just include that problem fix, or if he's done additional work.

Please see our advisory at

   http://www.e-smith.org/article.php3

for the official Mitel Networks position on the vulnerability

Cheers,

--Rich

Title: Re: PHP Security Hole?
Post by: Patrick Hickey on March 01, 2002, 12:42:09 AM

Dan will cover this and we can thank him for being around for us. It's obviously a constant danger running freeware but most of these potential issues are somewhat off the beaten track and not terribly well known.

patrick

Title: Re: PHP Security Hole?
Post by: Dan Brown on March 01, 2002, 01:28:36 AM

All my RPMs do is build 4.1.2 as I downloaded from php.net last night; I don't know anywhere near enough to go fixing things like this on my own.  Maybe I should pull those RPMs, then...

Title: Re: PHP Security Hole?
Post by: Dan Brown on March 01, 2002, 03:45:05 AM

Patrick, thanks for the kind words, but at this time I have no suggestion.  I've been told by apparently-reliable sources that 4.1.2 does NOT fix the problem, so I've pulled it from my site.  As soon as I hear of a real bugfix, I'll get it up ASAP.

Title: Re: PHP Security Hole?
Post by: Patrick Hickey on March 01, 2002, 03:54:48 AM

Dan - how can anyone complain about free software and free enhancements from a developer???

I had no issue disabling the insucure component and can wait for as long as it takes you or some other generous soul to post a patch.

Might I ask one little, teeny thing in advance?

When you do gets your hands onto the right code, keep the posted "back it out" code in mind as you compile (?) your patch.

In other words, for fools like me who know just enough to make a mess, I have executed the security "fix" posted on the main page and thus need to re-enable that when a patch is put forth.

Thanks again.

regards,

patrick

Title: Re: PHP Security Hole?
Post by: Dan Brown on March 01, 2002, 04:15:15 AM

Patrick Hickey wrote:

> Dan - how can anyone complain about free software and free
> enhancements from a developer???

    You'd be amazed...  (-:

> When you do gets your hands onto the right code, keep the
> posted "back it out" code in mind as you compile (?) your

    I'll try to do that.

Title: Re: PHP Security Hole?
Post by: Brad on March 01, 2002, 11:06:21 AM

I am currently developing a PHP app on 4.1.2. What I am developing needs file uploads to work. At the moment, while the server is connected to the outside, it only servers the default homepage to the outside. All ibays have either web access turned off or set to local only.

Am I till at risk from these holes? Or do I only need worry if I allow public web acces to the ibays??

Thanks,
Brad