http://www.hardened-php.net/advisories/012004.txt
--
Greg Donald
Zend Certified Engineer
http://gdconsultants.com/
http://destiney.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
PHP Security Advisory: CGI vulnerability in PHP version 4.3.0
Issued on: February 17, 2003
Software: PHP/CGI version 4.3.0
Platforms: All
The PHP Group has learned of a serious security vulnerability in
the CGI SAPI of PHP version 4.3.0.
On Tue, 23 Jul 2002, Richard Lynch wrote:
> This is excluding support contracts for software you paid for -- Once you
> pay Oracle enough money for Support Contracts, they have pretty good
> support, from what I hear... :-)
They're attentive and responsive and about as knowledgeable as you could
>Well, I'm not sure about the 'you get what you pay for'. Some paid for
>software has less support and documentation than PHP!
In my experience, *ALL* paid-for software has less support and documentation
than PHP.
This is excluding support contracts for software you paid for -- Once you
pay Orac
Well, I'm not sure about the 'you get what you pay for'. Some paid for
software has less support and documentation than PHP!
"Justin French" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Greg,
>
> Your attitude stinks.
>
> PHP is a FREE scripting language.
Hi,
1. Every peice of software has bugs - PHP still bugs - it always will
have. Deal with it.
2. It is no-one's responsibility other than your own to *test the
software*. Anyone using any form of software in a production environment
has at least one test bed to install new versions of software o
> Who said anything about M$? I don't use their crappy products so I
> don't have to deal with their security issues.
I'm the one who brought up Microsoft, I'm saying it's a whole lot better
then the alternatives.
> If PHP 4.2 is unsafe then why is it listed at the top of the page for
> down
[snip]
>Well, trying to updrade on Slackware Linux 8.0 and compiling with the GD
>(1.8.4) libraries are giving us some headaches. Some of what seems to be
>wrong;
...
You're simply looking at the old PHP.
You did stop/start Apache, right?... Cuz the new PHP won't kick in until
you do.
If so, al
Greg,
Your attitude stinks.
PHP is a FREE scripting language. Think about the amount of money you are
probably charging hosting clients, or charging in web or programming
services, or making in site revenue, or whatever way you 'commercially
function' through PHP.
The register globals 'imposit
On Mon, 22 Jul 2002, Greg Donald wrote:
> Not only did I get to re-write all my apps the past few months because of
> the new register_globals default that was imposed by `the php group`...
You didn't have to. The choice was given to you, for your own good. If you
have very disciplined programm
>On Mon, 22 Jul 2002, Marko Karppinen wrote:
>
>> PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
>
>Not only did I get to re-write all my apps the past few months because of
>the new register_globals default that was imposed by `the php group`...
You could have just *CHAN
>Well, trying to updrade on Slackware Linux 8.0 and compiling with the GD
>(1.8.4) libraries are giving us some headaches. Some of what seems to be
>wrong;
>
>phpinfo() does not show new build times for each compile, not seemingly a
>caching problem (we have shut down browsers and then re-opened t
On Mon, 22 Jul 2002, 1LT John W. Holmes wrote:
> This other guy needs to quit his freakin whining and just do his job. Or go
> use ASP...the choice is yours.
Or JSP, for that matter. I've just discussing with a friend about this
security issue, and he was trying to convince me to move to Java...
The superglobals have been a round for a bit so it's not as if everything's
got to be updated overnight.
I run PHP on windows and upgrading is just a matter of unzipping the archive
to my PHP folder and overwriting all the older files - dead simple. Don't
even have to change php.ini if I don't wa
[snip]
Can anyone that has done it comment on the complexities of the upgrade?
[/snip]
Well, trying to updrade on Slackware Linux 8.0 and compiling with the GD
(1.8.4) libraries are giving us some headaches. Some of what seems to be
wrong;
phpinfo() does not show new build times for each compile
, July 22, 2002 1:52 PM
To: Richard Baskett; PHP General
Subject: Re: [PHP] PHP Security Advisory: Vulnerability in PHP
versions4.2.0 and 4.2.1
> Well from the sound of it, it's a quick painless process to upgrade
> php to the newest version using the patch. Can anyone that has done
>
> Well from the sound of it, it's a quick painless process to upgrade php to
> the newest version using the patch. Can anyone that has done it comment
on
> the complexities of the upgrade? Im just going on what it says on the php
> homepage...
Nice and easy for me, I'm running it on windows, th
Quoting Greg Donald <[EMAIL PROTECTED]>:
> It's not about that.. It's about the hell I've already been
> through with the new register_globals setting. Then two huge ass
> security holes following in the next couple of months after that.
> If it doesn't bother you the hassles 'the php group' i
I actually enjoy all the security releases. They give me something to
do at work!
tyler
On Mon, 22 Jul 2002 11:55:31 -0500 (CDT)
Greg Donald <[EMAIL PROTECTED]> wrote:
> On Mon, 22 Jul 2002, Marko Karppinen wrote:
>
> > PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and
> > 4.
22 Jul 2002 12:30:50 -0500 (CDT)
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions 4.2.0
> and 4.2.1
>
> On 22 Jul 2002, Adam Voigt wrote:
>
>> Hey man, if you can't stand the heat, get out of the freakin sun.
>>
On 22 Jul 2002, Adam Voigt wrote:
>Hey man, if you can't stand the heat, get out of the freakin sun.
>Atleast PHP tells you about holes, not like Microsoft who will fix it
>six months down the line (if they even admit a hole exists). Plus, if
Who said anything about M$? I don't use their crappy
Hey man, if you can't stand the heat, get out of the freakin sun.
Atleast PHP tells you about holes, not like Microsoft who will fix it
six months down the line (if they even admit a hole exists). Plus, if
your running anything past 4.1.2 on production systems, it's your own
damn fault because sev
On Mon, 22 Jul 2002, Marko Karppinen wrote:
> PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Not only did I get to re-write all my apps the past few months because of
the new register_globals default that was imposed by `the php group`...
Now I get to upgrade my PHP ins
IIRC, just about every upgrae has security fixes, you may be hard
pressed to find an older version that doesn't have any big holes in it.
On Mon, 2002-07-22 at 10:55, Ilia A. wrote:
> On July 22, 2002 10:12 am, 1LT John W. Holmes wrote:
> > [snip]
> >
> > >PHP Security Advisory: Vulnerability
On July 22, 2002 10:12 am, 1LT John W. Holmes wrote:
> [snip]
>
> >PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
>
> [/snip]
>
> Looks like everyone will be using the new super globals, now... :)
>
> Well, I guess I'm still assuming that in a perfect world, people will
>
[snip]
>PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
[/snip]
Looks like everyone will be using the new super globals, now... :)
Well, I guess I'm still assuming that in a perfect world, people will
upgrade because of security issues...
---John Holmes...
--
PHP Gen
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Issued on: July 22, 2002
Software: PHP versions 4.2.0 and 4.2.1
Platforms: All
The PHP Group has learned of a serious security vulnerability in PHP
versions 4.2.0 and 4.2.1. An intruder may be able to execute arbit
27 matches
Mail list logo
