-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi everyone, a potential client just sent me this. Is it an old problem? or a new one? - ----------begin forwarded worrier----------- Hi Nick Did you mention that you use PHP? I subscribe to a photo gallery site and they stopped uploads due to the following problem. "Feb 27, 2002, 10:11 PM] Emergency Security Update Within the last 24 hours, details of a vulnerability in PHP which can be exploited remotely have been made public. The vulnerability allows any attacker to send a malformed POST request to a PHP-enabled Web server in a manner that will allow remote access as the user running the Web server processes. In the general case on our servers, this means the "nobody" user. Although the "nobody" user has limited privileges, any such access is a potential launching point for other nefarious activities. Moreover, some customers may be using a PHP with cgiwrap, meaning that their actual account is vulnerable because of this weakness. We are working to deploy and test a new build of Apache that will include PHP 4.1.2, the version created specifically to address this vulnerability. However, this requires careful testing and can not be deployed immediately. In the interim, therefore, we have disabled the file upload feature of PHP on our servers. This is the quick workaround recommended by PHP developers and the CERT advisory. We are also contacting all customers who are using custom PHP builds, and recommending that they take similar steps until such time as they can deploy PHP 4.1.2. We understand that this change interferes with functionality for some customer sites. We will have the new Apache+PHP build in place as soon as possible, and will post a further notice at that time. We ask that our customers respect our insistence on treating security vulnerabilities as problems no less critical than system outages. For more information, please visit: <http://www.cert.org/advisories/CA-2002-05.html> <http://security.e-matters.de/advisories/012002.html> regards Steve Pickering SimCorp Financial Training A/S Indiakaj 1, 2100 Copenhagen O Denmark Phone: +45 35 44 68 00, Direct: +45 35 44 68 17, Mobile: +45 40 86 41 13, Fax: +45 35 44 68 11 mailto:[EMAIL PROTECTED] Homepage: http://www.simcorp.com This message, and any associated files, is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged, subject to copyright or which constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying, or distribution of this message or files associated with this message is strictly prohibited. If you have received this message in error, please notify us immediately or forward this message immediately to [EMAIL PROTECTED] Thank You - ----- End forwarded message ----- - -- - ----------------------------------------------------------- www.explodingnet.com | Projects, Forums and + Articles for website owners - -- Nick Wilson -- | and designers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8fgF7HpvrrTa6L5oRAlz3AJ9O0FG+5JQrkSFfRYrD+NuKnUnkUQCdFkSM ZpnF/f9HI/AtHeZAV7hPsPk= =3HmD -----END PGP SIGNATURE----- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php