PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

CyberCash
Using XML, a PHP Developer's Primer, Part 4: XML-RPC, PHP and Javascript
Best Practices: Database Indexing
Using XML: A PHP Developer's Primer, Part 4
Caching Web Page Output for Server Optimization

Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload From: Zeev Suraski (zeev <email protected>)
Date: 09/04/00

Next message: Bug Database: "[PHP-DEV] PHP 4.0 Bug #5146 Updated: Autoconf does not add -lpq"
Previous message: Bug Database: "[PHP-DEV] PHP 4.0 Bug #4512 Updated: Memory leaks Sybase for MSSQL using FreeTDS"
In reply to: Rasmus Lerdorf: "Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Next in thread: Stig Venaas: "Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Reply: Stig Venaas: "Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The initial fix published earlier did NOT fix the vulnerability that was
discovered, and could also cause crashes under certain circumstances. It
could also cause some applications to fail, due to a side effect that
prevents certain valid form variables from being processed correctly.

The correct, tested fixed file (without any side effects) is available at

http://cvsweb.php.net/viewcvs.cgi/~checkout~/php4/main/rfc1867.c?rev=1.45&content-type=text/plain

The diff against version 4.0.2 is available at:

http://cvsweb.php.net/viewcvs.cgi/php4/main/rfc1867.c.diff?r1=1.38%3Aphp_4_0_2&tr1=1.1&r2=text&tr2=1.45&diff_format=u

It is also attached to this message.

Thanks to James Moore for helping me test this fix.

Zeev

application/octet-stream attachment: rfc1867.c.diff

--
Zeev Suraski   <zeev <email protected>>
http://www.zend.com/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

Next message: Bug Database: "[PHP-DEV] PHP 4.0 Bug #5146 Updated: Autoconf does not add -lpq"
Previous message: Bug Database: "[PHP-DEV] PHP 4.0 Bug #4512 Updated: Memory leaks Sybase for MSSQL using FreeTDS"
In reply to: Rasmus Lerdorf: "Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Next in thread: Stig Venaas: "Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Reply: Stig Venaas: "Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through PHP file upload"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]