Look for "file_uploads" in the "PHP Core" section of output from phpinfo(). A "1" means that it is enabled. A "0" means that it is disabled.
Also, to address: > > i personally think that the developer still has > > the control in making his php code secure. but how do you > > think will this news affect php as one of the most popular > > choice for web developers? When you ponder this question, also go to google and search for IIS and security. If you think the grass is greener on the other-side, simply compare the number of deathly exploits--I hope you realize that your grass is way more green than the paid PR employees would have you believe. Might I remind everyone that the patch was released WITH the announcement which was authored by a PHP developer himself. When has that ever happened on the other side? Usually, it takes several days just for MS to admit there's a problem. Personally, the security announcement strengthens my trust in the PHP developers because they were so open about it and they fixed it immediately--it isn't hard to apply a patch; Windows versions of PHP don't suffer from the bug. No big deal--go on with life! Court > -----Original Message----- > From: jas [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 04, 2002 8:35 PM > To: [EMAIL PROTECTED] > Subject: Re: [PHP-DB] security > > > how can you find out what the php.ini is looking like? is > there a way to > use php to get that info. i have used phpinfo() but i cannot > see whether or > not file_uploads is disabled > Jas > "Paul Burney" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > on 3/3/02 7:39 PM, Ric Maņalac at > [EMAIL PROTECTED] appended > the following bits to my mbox: > > > i personally think that the developer still has > > the control in making his php code secure. but how do you > > think will this news affect php as one of the most popular > > choice for web developers? > > Probably doesn't belong so much on the PHP-DB list, since > databases not > involved, but since some of you on the list may not be aware.... > > In most cases, PHP security can be controlled by the > developer, but *not* in > this case. > > Basically, most php security problems stem from someone not properly > checking input and being sloppy when connecting to databases, etc. > > This case, however, is an actual problem in the PHP server code, not > anything you would write. To summarize, if you have > file_uploads enabled on > the server, php parses "multipart/form-data" data that is sent to the > script. > > It does this for *any* file, not just the ones that have file > uploads in > them. The bug is in that code and can be used by malicious > parties to do > evil things on your server. It can be used against you even > if you only > have one page on your server parsed by PHP and the hacker can find it. > > The original report is here: > > <http://security.e-matters.de/advisories/012002.html> > > Basically you have three options: > > 1) Disable file_uploads, if you're not using them, in the > php.ini file. > This works for PHP 4.0.3 or greater. > > 2) Apply the source patch to your source tree and rebuild. > Works for PHP > 3.0.18, 4.06, 4.1.0 and 4.1.1. > > 3) Upgrade to PHP 4.1.2 > > You should really do this as soon as possible. I'm sure > someone will make a > Code Red type of infestation soon to exploit this bug soon. > Evidently, > there is a crude exploit circulating. > > Hope that helps. > > Paul > > <?php > while ($self != "asleep") { > $sheep_count++; > } > ?> > > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
