RE: [PHP-DEV] ooops, i thought it new one but:

Andi Gutmans Sat, 27 Jan 2001 11:54:27 -0800
Moshe,

It's quite difficult to exploit this vulnerability without knowing your 
servers setup. It is possible, but personally I wouldn't worry too much 
about it although you should urge your ISP to upgrade to 4.0.4pl1.

Andi

At 08:07 PM 1/27/2001 +0000, James Moore wrote:
>No. the bug was localised after the release of PHP 4.0.4 that is the reason
>why we released the Security Advisory and PHP 4.0.4pl1 so if you think that
>your servers could be affected you SHOULD upgrade to PHP 4.0.4pl1. It
>affects ALL versions of PHP 4 up to PHP 4.0.4, you should read the Advisory
>carefully and see the corresponding posts on Bugtraq for further
>information. Security Focus is currently down but check on securityfocus.com
>next week and read about it.
>
>Basically:
>         Issues only affect mod_php4 in apache
>
>         => The issue that php_value engine off can propagate
>            from virtual host to virtual host can be easy worked
>            around by adding php_value engine on to your DEFAULT
>            server config in httpd.conf.
>
>         => The second issue where php directives can be set
>            from request to request has questionable real world
>            use but is still a security issue. IIRC you can
>            prevent this to a certain extent by disallowing
>            OPTIONS requests in your httpd.conf
>
>Doing the above will not guarantee that your system is safe but it will
>enable you check the security advisory and then make a decision on whether
>an upgrade is necessary.
>
>
>James
>--
>James Moore
>PHP Quality Assurance Team
>[EMAIL PROTECTED]
>
> > -----Original Message-----
> > From: moshe doron [mailto:[EMAIL PROTECTED]]
> > Sent: 27 January 2001 19:30
> > To: [EMAIL PROTECTED]
> > Subject: [PHP-DEV] ooops, i thought it new one but:
> >
> >
> > in debian, they say this bug affecting also 3pl1, but its not what i fount
> > on php.net.
> > can i be relexed if the servers i using runing 3pl1?
> >
> > --
> >
> >
> > "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > pl2?  This advisory has been out for over a week and the
> > problem is fixed
> > > in 4.0.4pl1
> > >
> > > -Rasmus
> > >
> > > On Sat, 27 Jan 2001, moshe doron wrote:
> > >
> > > > the problem here is, that i have problem to update some servers
> > contains my
> > > > code coz them not in my ownship, so i just have to test if this bug
> > affected
> > > > them (if yep i'll temply remove the the file from the server) but no
> > > > explains.
> > > >
> > > > does that subject stay in darken till monday not to give hackers the
> > chance
> > > > to exploite it during the weekend?
> > > >
> > > > btw, ll' there official php4.0.4pl2 on php.net that time?
> > > >
> > > > tnx
> > > > moshe.
> > > >
> > > > --
> > > >
> > > >
> > > > "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
> > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > The reference is right in the link you posted.  Just upgrade to the
> > latest
> > > > > version to address it.
> > > > >
> > > > > On Sat, 27 Jan 2001, moshe doron wrote:
> > > > >
> > > > > > http://freshmeat.net/news/2001/01/27/980597363.html
> > > > > >
> > > > > > where can i find any references?
> > > > > >
> > > > > > tnx
> > > > > > moshe.
> > > > > >
> > > > > > --
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > To contact the list administrators, e-mail:
> > [EMAIL PROTECTED]
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > To contact the list administrators, e-mail:
> > [EMAIL PROTECTED]
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > PHP Development Mailing List <http://www.php.net/>
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > To contact the list administrators, e-mail:
> > [EMAIL PROTECTED]
> > > >
> > >
> > >
> > > --
> > > PHP Development Mailing List <http://www.php.net/>
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> > >
> >
> >
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
>--
>PHP Development Mailing List <http://www.php.net/>
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DEV] ooops, i thought it new one but:

Reply via email to
