on 3/3/02 7:39 PM, Ric Maņalac at [EMAIL PROTECTED] appended
the following bits to my mbox:

> i personally think that the developer still has
> the control in making his php code secure. but how do you
> think will this news affect php as one of the most popular
> choice for web developers?

Probably doesn't belong so much on the PHP-DB list, since databases not
involved, but since some of you on the list may not be aware....

In most cases, PHP security can be controlled by the developer, but *not* in
this case.

Basically, most php security problems stem from someone not properly
checking input and being sloppy when connecting to databases, etc.

This case, however, is an actual problem in the PHP server code, not
anything you would write.  To summarize, if you have file_uploads enabled on
the server, php parses "multipart/form-data" data that is sent to the

It does this for *any* file, not just the ones that have file uploads in
them.  The bug is in that code and can be used by malicious parties to do
evil things on your server.  It can be used against you even if you only
have one page on your server parsed by PHP and the hacker can find it.

The original report is here:


Basically you have three options:

1) Disable file_uploads, if you're not using them, in the php.ini file.
This works for PHP 4.0.3 or greater.

2) Apply the source patch to your source tree and rebuild.  Works for PHP
3.0.18, 4.06, 4.1.0 and 4.1.1.

3) Upgrade to PHP 4.1.2

You should really do this as soon as possible.  I'm sure someone will make a
Code Red type of infestation soon to exploit this bug soon.  Evidently,
there is a crude exploit circulating.

Hope that helps.


    while ($self != "asleep") {

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to