HOME Community Articles Code Library People Mail Archive My Account Contribute PHP Jobs

Open Source Database Feature Comparison Matrix Try Declarative Programming with Annotations and Aspects Locate All Stored Procedures and Their Objects/SQL Tables Building a Stored Procedure Generator Making Tables Read-only in Oracle

24-hour Support Daily Backup Dedicated Servers JSP/Java Servlets PHP MySQL Streaming Audio/Video Telnet/SSH Unix Hosting 24-hour Support

From: moshe doron (mosdoron <email protected>)
Date: 01/27/01

• Next message: Balazs Nagy: "[PHP-DEV] using PEAR and safe_mode at the same time (long)"
• Previous message: melvyn <email protected>: "[PHP-DEV] PHP 4.0 Bug #8953: in_array returning number of 'hits'"
• In reply to: Andi Gutmans: "RE: [PHP-DEV] ooops, i thought it new one but:"
• Next in thread: James Moore: "RE: [PHP-DEV] ooops, i thought it new one but:"
• Reply: James Moore: "RE: [PHP-DEV] ooops, i thought it new one but:"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

thanks u all.
i just became too pressured by freshmeet message, in the future i'll take
more care before badger u with paranoid questions ;|

moshe.

--
"Andi Gutmans" <andi <email protected>> wrote in message
news:5.0.2.1.2.20010127221012.02418908 <email protected>
> Moshe,
>
> It's quite difficult to exploit this vulnerability without knowing your
> servers setup. It is possible, but personally I wouldn't worry too much
> about it although you should urge your ISP to upgrade to 4.0.4pl1.
>
> Andi
>
> At 08:07 PM 1/27/2001 +0000, James Moore wrote:
> >No. the bug was localised after the release of PHP 4.0.4 that is the
reason
> >why we released the Security Advisory and PHP 4.0.4pl1 so if you think
that
> >your servers could be affected you SHOULD upgrade to PHP 4.0.4pl1. It
> >affects ALL versions of PHP 4 up to PHP 4.0.4, you should read the
Advisory
> >carefully and see the corresponding posts on Bugtraq for further
> >information. Security Focus is currently down but check on
securityfocus.com
> >next week and read about it.
> >
> >Basically:
> >         Issues only affect mod_php4 in apache
> >
> >         => The issue that php_value engine off can propagate
> >            from virtual host to virtual host can be easy worked
> >            around by adding php_value engine on to your DEFAULT
> >            server config in httpd.conf.
> >
> >         => The second issue where php directives can be set
> >            from request to request has questionable real world
> >            use but is still a security issue. IIRC you can
> >            prevent this to a certain extent by disallowing
> >            OPTIONS requests in your httpd.conf
> >
> >Doing the above will not guarantee that your system is safe but it will
> >enable you check the security advisory and then make a decision on
whether
> >an upgrade is necessary.
> >
> >
> >James
> >--
> >James Moore
> >PHP Quality Assurance Team
> >jmoore <email protected>
> >
> > > -----Original Message-----
> > > From: moshe doron [mailto:mosdoron <email protected>]
> > > Sent: 27 January 2001 19:30
> > > To: php-dev <email protected>
> > > Subject: [PHP-DEV] ooops, i thought it new one but:
> > >
> > >
> > > in debian, they say this bug affecting also 3pl1, but its not what i
fount
> > > on php.net.
> > > can i be relexed if the servers i using runing 3pl1?
> > >
> > > --
> > >
> > >
> > > "Rasmus Lerdorf" <rasmus <email protected>> wrote in message
> > > news:Pine.LNX.4.30.0101271111410.888-100000 <email protected>
> > > > pl2?  This advisory has been out for over a week and the
> > > problem is fixed
> > > > in 4.0.4pl1
> > > >
> > > > -Rasmus
> > > >
> > > > On Sat, 27 Jan 2001, moshe doron wrote:
> > > >
> > > > > the problem here is, that i have problem to update some servers
> > > contains my
> > > > > code coz them not in my ownship, so i just have to test if this
bug
> > > affected
> > > > > them (if yep i'll temply remove the the file from the server) but
no
> > > > > explains.
> > > > >
> > > > > does that subject stay in darken till monday not to give hackers
the
> > > chance
> > > > > to exploite it during the weekend?
> > > > >
> > > > > btw, ll' there official php4.0.4pl2 on php.net that time?
> > > > >
> > > > > tnx
> > > > > moshe.
> > > > >
> > > > > --
> > > > >
> > > > >
> > > > > "Rasmus Lerdorf" <rasmus <email protected>> wrote in message
> > > > >
news:Pine.LNX.4.30.0101271045540.888-100000 <email protected>
> > > > > > The reference is right in the link you posted.  Just upgrade to
the
> > > latest
> > > > > > version to address it.
> > > > > >
> > > > > > On Sat, 27 Jan 2001, moshe doron wrote:
> > > > > >
> > > > > > > http://freshmeat.net/news/2001/01/27/980597363.html
> > > > > > >
> > > > > > > where can i find any references?
> > > > > > >
> > > > > > > tnx
> > > > > > > moshe.
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > > > To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> > > > > > > For additional commands, e-mail: php-dev-help <email protected>
> > > > > > > To contact the list administrators, e-mail:
> > > php-list-admin <email protected>
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > > To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> > > > > > For additional commands, e-mail: php-dev-help <email protected>
> > > > > > To contact the list administrators, e-mail:
> > > php-list-admin <email protected>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> > > > > For additional commands, e-mail: php-dev-help <email protected>
> > > > > To contact the list administrators, e-mail:
> > > php-list-admin <email protected>
> > > > >
> > > >
> > > >
> > > > --
> > > > PHP Development Mailing List <http://www.php.net/>
> > > > To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> > > > For additional commands, e-mail: php-dev-help <email protected>
> > > > To contact the list administrators, e-mail:
php-list-admin <email protected>
> > > >
> > >
> > >
> > >
> > > --
> > > PHP Development Mailing List <http://www.php.net/>
> > > To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> > > For additional commands, e-mail: php-dev-help <email protected>
> > > To contact the list administrators, e-mail:
php-list-admin <email protected>
> >
> >
> >--
> >PHP Development Mailing List <http://www.php.net/>
> >To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> >For additional commands, e-mail: php-dev-help <email protected>
> >To contact the list administrators, e-mail: php-list-admin <email protected>
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> For additional commands, e-mail: php-dev-help <email protected>
> To contact the list administrators, e-mail: php-list-admin <email protected>
>
-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Balazs Nagy: "[PHP-DEV] using PEAR and safe_mode at the same time (long)"
• Previous message: melvyn <email protected>: "[PHP-DEV] PHP 4.0 Bug #8953: in_array returning number of 'hits'"
• In reply to: Andi Gutmans: "RE: [PHP-DEV] ooops, i thought it new one but:"
• Next in thread: James Moore: "RE: [PHP-DEV] ooops, i thought it new one but:"
• Reply: James Moore: "RE: [PHP-DEV] ooops, i thought it new one but:"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]