-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi everyone, a potential client just sent me this. Is it an old problem?
or a new one?
- ----------begin forwarded worrier-----------
Hi Nick
Did you mention that you use PHP?
I subscribe to a photo gallery site and they stopped uploads due to the
following problem.
"Feb 27, 2002, 10:11 PM] Emergency Security Update
Within the last 24 hours, details of a vulnerability in PHP which
can be exploited remotely have been made public. The vulnerability allows
any attacker to send a malformed POST request to a PHP-enabled Web server in
a manner that will allow remote access as the user running the Web server
processes. In the general case on our servers, this means the "nobody" user.
Although the "nobody" user has limited privileges, any such access
is a potential launching point for other nefarious activities. Moreover,
some customers may be using a PHP with cgiwrap, meaning that their actual
account is vulnerable because of this weakness.
We are working to deploy and test a new build of Apache that will
include PHP 4.1.2, the version created specifically to address this
vulnerability. However, this requires careful testing and can not be
deployed immediately. In the interim, therefore, we have disabled the file
upload feature of PHP on our servers. This is the quick workaround
recommended by PHP developers and the CERT advisory. We are also contacting
all customers who are using custom PHP builds, and recommending that they
take similar steps until such time as they can deploy PHP 4.1.2.
We understand that this change interferes with functionality for
some customer sites. We will have the new Apache+PHP build in place as soon
as possible, and will post a further notice at that time. We ask that our
customers respect our insistence on treating security vulnerabilities as
problems no less critical than system outages.
For more information, please visit:
<http://www.cert.org/advisories/CA-2002-05.html>
<http://security.e-matters.de/advisories/012002.html>
regards
Steve Pickering
SimCorp Financial Training A/S
Indiakaj 1, 2100 Copenhagen O
Denmark
Phone: +45 35 44 68 00, Direct: +45 35 44 68 17, Mobile: +45 40 86 41 13,
Fax: +45 35 44 68 11
mailto:[EMAIL PROTECTED] Homepage: http://www.simcorp.com
This message, and any associated files, is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is confidential, privileged, subject to copyright or which constitutes
a trade secret. If you are not the intended recipient you are hereby
notified that any dissemination, copying, or distribution of this message or
files associated with this message is strictly prohibited. If you have
received this message in error, please notify us immediately or forward this
message immediately to [EMAIL PROTECTED] Thank You
- ----- End forwarded message -----
- --
- -----------------------------------------------------------
www.explodingnet.com | Projects, Forums and
+ Articles for website owners
- -- Nick Wilson -- | and designers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
iD8DBQE8fgF7HpvrrTa6L5oRAlz3AJ9O0FG+5JQrkSFfRYrD+NuKnUnkUQCdFkSM
ZpnF/f9HI/AtHeZAV7hPsPk=
=3HmD
-----END PGP SIGNATURE-----
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
