Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
PHP Software Programming Security Apache

Security Hole Found in 4.3.0 34

Saint Aardvark writes "The good folks at PHP.net have warned of a serious vulnerability in PHP 4.3.0: 'Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs.' It's recommend that you upgrade to 4.3.1 right away."
This discussion has been archived. No new comments can be posted.

Security Hole Found in 4.3.0

Comments Filter:
  • by Trak ( 670 ) on Monday February 17, 2003 @04:52PM (#5321671) Homepage Journal
    Damn, I just installed 2.0.44. I'm so behind the curve!
  • eh? (Score:2, Insightful)

    by Anonymous Coward
    Apache 4.3.0??? WTF??

    oh wait, they're talking about PHP!!

    and it looks like the CGI version, NOT the Apache module, correct? Please clarify for the morons in the audience such as myself.

    So the 3 guys that actually use PHP as a CGI module can upgrade and the rest of us can go back to jerking off!
    • Re:eh? (Score:2, Informative)

      and it looks like the CGI version, NOT the Apache module, correct? Please clarify for the morons in the audience such as myself.

      Not only is it only the CGI version, but it's only version 4.3.0 of the CGI version.

  • by legLess ( 127550 ) on Monday February 17, 2003 @05:01PM (#5321718) Journal
    One would hope it could make made clear in the title (currently: "Apache: Security Hole Found in 4.3.0") that this is in fact a PHP hole, not an Apache one.
  • Is It Just Me? (Score:2, Interesting)

    by 4of12 ( 97621 )

    Or does it seem like PHP has been afflicted with a lot of vulnerabilities lately?

    Maybe the number of news worthy PHP vulnerabilities is a testament to how widely the language is deployed. And, MySQL has had its share, too.

    But the Apache and Linux components of "LAMP" seem to have been relatively secure by comparison.

    • And Linux is relatively unsecure compared to other OSes. I prefer OAPP, OpenBSD-Apache-Postgresql-PHP.
  • cgi vulnerability (Score:3, Interesting)

    by AllMightyPaul ( 553038 ) on Monday February 17, 2003 @05:08PM (#5321762)
    And just two articles down on the homepage, in the Developers section, there is an article [slashdot.org] about the dangers of using CGI. How ... ironic?
  • Finally (Score:3, Funny)

    by Almace ( 216500 ) on Monday February 17, 2003 @05:13PM (#5321783)
    <mandatory microsft bashing>
    Apache can have ALL the features of IIS.
    </mandatory microsft bashing>
    • Re:Finally (Score:5, Informative)

      by dietz ( 553239 ) on Monday February 17, 2003 @07:07PM (#5322354)
      Actually, if you install this as an apache module, you aren't vulnerable.

      Only people who use the CGI interface (which is probably very few apache users).

      So posting it under "Apache" was sorta misleading.
    • Re:Finally (Score:2, Offtopic)

      by JediTrainer ( 314273 )
      <mandatory microsoft borking>
      Epeche-a cun hefe-a ELL zee feetoores ooff IIS. Bork Bork Bork!
      </mandatory microsoft borking>
  • I could be (and very possibly am) wrong, but doesn't this only affect you if you've installed PHP in your cgi-bin? Otherwise, you can't ignoring .htaccess files by calling PHP directly.

    There will always be a local vulnerability where a user could install the PHP binary, but as long as you give users CGI access you are vulnerable to the same kinds of things through a Perl script or a CGI written in C.

    Simon
  • it's just the CGI version... I saw this just before I went to bed, and didn't really feel like upgrading my PHP install.
  • we now find bugs in versions years before they're ever released, or even planned.... this must have been found by that new government department that monitors everything... would have helped to mention PHP in the title....
  • by phr2 ( 545169 ) on Tuesday February 18, 2003 @12:56AM (#5323805)
    Anyone know if 4.0.2 or 4.1.2 are affected by this bug? Do those versions have serious security probs of their own?
  • so what (Score:1, Flamebait)

    by KilerCris ( 637493 )
    4.3.0 is crap anyway. I upgraded to it and had nothing but trouble. Most servers I've seen are sticking with 4.2.3
  • Note! This upgrade is only relevant for those who have enabled the CLI (command line interface) of PHP. Me, Myself and I can at least relax.
  • None of my apps use the number 4.3.0, so I'm safe.

    Would it be too much to ask to make headlines make a smidgen of sense in the "older articles" section by actually including something like the name of the product affected?

    Oh wait, it is.
  • by ptaff ( 165113 ) on Tuesday February 18, 2003 @12:36PM (#5326941) Homepage
    Class methods are not working as they should in PHP >= 4.3.0; I'd suggest to anyone who does OO in PHP to stay with 4.2.3 as long as they want to keep their scripts working. See for yourself this Bug report [php.net]

If it wasn't for Newton, we wouldn't have to eat bruised apples.

Working...