Just for the case - I received 506kb attachment... Andrey ----- Original Message ----- From: "James Cox" <[EMAIL PROTECTED]> To: "Php-Dev" <[EMAIL PROTECTED]> Sent: Friday, March 01, 2002 5:30 PM Subject: [PHP-DEV] FW: [PHP-QA] New Windows Binaries
> Note, > > ezmlm is rejecting the attachment, so I have put it here: > > http://www.php.net/~imajes/windows-php.zip .. > > Thanks, > > James > > -----Original Message----- > From: James Cox [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 01, 2002 3:26 PM > To: Php-Dev > Cc: Php-Qa > Subject: [PHP-QA] New Windows Binaries > > > Hey All, > > Shane and I worked last night to build Windows versions of 4.1.2, and also > fix a further vulnerability which exists when you call the cgi directly, for > example in cgi with apache, it was possible to call > http://example.com/php/php.exe?c:\winnt\repair\sam to get the equivalent of > the /etc/passwd file. > > We have patched it so it is no longer possible to call it directly, so this > vulenerability is at least worked around. > > Due to the fact that some webservers fix this by default anyway, we have 2 > new ini options. (see them in the php.ini in the source). > > The particular one you'll need to set is cgi.force-redirect (0|1) so that > for servers that are not exploitable (eg, IIS) you override the setting. > > I hope that made sense, check out the attached binaries... let us know if > there are any problems. if not, i'll put them up on the website with > detauiled (Thought out) install instructions for all those windows users, > and add comments to the docs. > > Thanks, > > James > -- > James Cox :: [EMAIL PROTECTED] :: Landonize It! http://landonize.it/ > Was I helpful? http://www.amazon.co.uk/exec/obidos/wishlist/23IVGHQ61RJGO/ > > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
