Re: PHP Update .. details

To: debian-security@lists.debian.org
Subject: Re: PHP Update .. details
From: Harry Sufehmi <milis-2@harrysufehmi.com>
Date: Sat, 25 Dec 2004 14:48:35 +0000
Message-id: <[🔎] 4.3.2.7.2.20041225143751.0195f320@mail.harrysufehmi.com>

Initially a few CVE numbers were assigned and then later withdrawn when itbecame clear that the issues could only be exploited by a user who wrote amalicious PHP script - not a remote issue, or too serious. (Given that ifyou had the ability to write evil PHP code you cold just run 'system('rm..');'.

-----------------

Just would like to draw your attention to the following page:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046

Basically, they claim that phpBB v2.0.11 running on PHP version < 4.3.10becomes remotely vulnerable, and they claim there are exploits on the wild-- which backs their claim, and makes it definitely a serious issue.


When PHP upgraded to 4.3.10, it's no longer vulnerable.

Being a layman, I'm not able to confirm that claim. However, the fact thatthis is an official announcement from them, I think it's worth reading overat least.

Hopefully Debian security team will be convinced to patch php4 package then.


Thanks,
Harry

Reply to:

Prev by Date: subscribe
Next by Date: VirtualHost and PHP security
Previous by thread: Re: PHP Update .. details
Next by thread: Martin Mifsud/ErnstYoung/MT is out of the office. [Email checked - EMEA]
Index(es):
- Date
- Thread