Is this patch for Windows already applied to CVS's PHP 4_0_7 branch ?
Rui > Shane and I worked last night to build Windows versions of 4.1.2, and also > fix a further vulnerability which exists when you call the cgi directly, for > example in cgi with apache, it was possible to call > http://example.com/php/php.exe?c:\winnt\repair\sam to get the equivalent of > the /etc/passwd file. > > We have patched it so it is no longer possible to call it directly, so this > vulenerability is at least worked around. > > Due to the fact that some webservers fix this by default anyway, we have 2 > new ini options. (see them in the php.ini in the source). > > The particular one you'll need to set is cgi.force-redirect (0|1) so that > for servers that are not exploitable (eg, IIS) you override the setting. > > I hope that made sense, check out the attached binaries... let us know if > there are any problems. if not, i'll put them up on the website with > detauiled (Thought out) install instructions for all those windows users, > and add comments to the docs. > > Thanks, > > James -- ----------------------------------------------------- Rui Hirokawa <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
