PHP 4.2.0 and 4.2.1 Remote vulnerability
Results 1 to 4 of 4

Thread: PHP 4.2.0 and 4.2.1 Remote vulnerability

  1. #1
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103

    Exclamation PHP 4.2.0 and 4.2.1 Remote vulnerability

    Stefan Esser (http://www.E-Matters.de) discovered a remote vulnerability in PHP versions 4.2.0 and 4.2.1.

    Taken from E-Matters.de:
    We have discovered a serious vulnerability within the default version of PHP. Depending on the processor architecture it may be possible for a remote attacker to either crash or compromise the web server.
    The vulnerability found by E-Matters.de exploits a bug in the code that checks the headers that contain HTTP POST requests. Different stack-architecture makes non-x86 systems more vulnerable.

    PHP.net has released a security advisory and urges people to update to 4.2.2, available here.

    If, for some reason, you are unable to update, you are advised to deny POST requests on your webserver. PHP-net offers this guideline for the Apache webserver:

    Taken from PHP.net:
    If the PHP applications on an affected web server do not rely on HTTP POST input from user agents, it is often possible to deny POST requests on the web server.

    In the Apache web server, for example, this is possible with the following code included in the main configuration file or a top-level .htaccess file:

    Code:
          <Limit POST>
             Order deny,allow
             Deny from all
          </Limit>
    Note that an existing configuration and/or .htaccess file may have parameters contradicting the example given above.
    More information:
    Advisory 02/2002 PHP remote vulnerability ( E-matters.de )
    PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 ( PHP.net )
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  2. #2
    Banned
    Join Date
    Jun 2002
    Posts
    458
    Just read about this. Was just about to post when I logged on and saw it here. Good thing somebody did. And though this security hole was found in php, I doubt many will have the expertise to exploit it. And as for that apache/.htaccess many sites already do that. I know, I check on many of them. Some are responsible, some are not.

  3. #3
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    And though this security hole was found in php, I doubt many will have the expertise to exploit it.
    Just one person has to write a tool, and each script-kiddy can use it.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    i agree with guus it only takes 1 person 2 write an exploit for it and all the skiddies around the net would have there hand`s on the tool <rant>why cant they just read dam skiddies</rant>
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •