[thelist] PHP security hole

Allie Micka allie at pajunas.com
Wed Feb 27 22:55:00 CST 2002


> http://security.e-matters.de/advisories/012002.html  All users of PHP are
> strongly encouraged to either upgrade to PHP 4.1.2
> from here: http://www.php.net

Details on this one are awfully vague, probably due to the sensitivity of
calling attention to a potential security vulnerability on 20% of the
world's domains.  Given the publicity on this one, it is probably very
important.  It even warranted a CERT advisory.

It seems logical to blow this one off if you don't have any scripts that
use file uploads, but keep in mind that a form can be posted to a web
server from *anywhere* and it is theoretically possible to POST a file to
a php script that is not expecting it.  PHP will process the POSTed file
before running the script so the vulnerability may be exploited regardless
of your application.

Again, details are vague on this one and I don't want to participate in
scare-mongering.   But its a very, very good idea to make sure your PHP
servers get patched/upgraded.

Allie Micka
pajunas interactive, inc.
http://pajunas.com




More information about the thelist mailing list