OpenBSD Journal

PHP file_upload vulnerability

Contributed by Dengue on from the doh dept.

fansipans writes :
"There are multiple remote vulnerabilities in PHP, the popular open source web scripting engine, for versions 3.10 all the way up to 4.1.1 (4.1.1 is what is in ports-current as I type this), description is here: http://security.e-matters.de/advisories/012002.html and patches can be found here: http://www.php.net/downloads.php the patch applied fine in my php4' ports source directory, and i was back up and running in about fifteen minutes"

(Comments are closed)


Comments
  1. By fansipans () fansipans@SPAMdubATE.MYgmuBALLS.edu.noballs! on mailto:fansipans@SPAMdubATE.MYgmuBALLS.edu.noballs!

    in the openbsd ports system as of 630pm EST Friday March 1 2001:

    php3 has been patched for the following cvs branches: 2.9, 3.0, and MAIN (-current)

    php4 has only been patched for 3.0, which is php version 4.0.6. To the best of my knowledge the -current php, version 4.1.1 has not been patched.

    Let this be a lesson, check your vendors' websites often!!!

    --fansipans

  2. By huh? () i_decline@most_any_isp.com on mailto:i_decline@most_any_isp.com

    I've spent the better part of the last 2 days compiling php4 on both sparc and i386. What I really want is FLAVOR='postgresql ldap gd pdflib' but that seems to fail on both platforms. I end up with no libphp4.so in .libs.

    I think I've narrowed it to a combination of the first three flavors with pdflib. All four flavor ports seem to build and install just fine, but the combination with php4 fails. My machines are kinda slow and I have real work to do so I haven't been able to play with all the combinations yet.

    Does know, off hand, if this combination is a no-go?

    Thank you very much

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]