Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Secrity breach in PHP 4

Status
Not open for further replies.
AnakinPt

AnakinPt

Programmer
Mar 29, 2001
583
PT
Hi.

It was found that there is a security breach in PHP handling file uploads. You can read more about this in:
Their advise is to install the patch to your current version of PHP or else, upgrade to PHP 4.1.2. These can be downloades from
Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com
 
Sorry for the spelling mistakes.
Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com
 
Hehe...

You mean it took them this long to find another one?

Gee, let's see... AFAIK this is maybe the third serious advisory I have heard about for PHP in the past 4 years. During the same time, I believe there have been approximately, ummm, about 1500 IIS/ASP advisories... does anyone have that exact number...?

Sounds like we're using the right tool for the job ;-).
-------------------------------------------

"Calculus is just the meaningless manipulation of higher symbols"
                          -unknown F student
 
Hi...

I was wondering about the patch... apparently its a diff file, or so I believe (their do_download.php works evil in most browsers).

I cant seem to get it to patch whatever file its supposed to patch (for php 4.0.6). Any hints?

Going up to 4.1.2 is not an option as too many depreciated function names cause older php apps to crash and burn.
 
Well... exactly what are you doing when you try the patch?

(TIP: generally, in the forums, if you are trying something, and it isn't working, explain exactly what you are trying, instead of just saying "any hints?". This makes it a lot easier to give advice.) -------------------------------------------

"Calculus is just the meaningless manipulation of higher symbols"
                          -unknown F student
 
How does one install the patch? Do I execute it? It says to 'Apply in php-4.0.6/main'.
 
Most Unix or Linux systems by default have the "patch" utility. First, just check and make sure patch is installed on your system: enter "patch --h". If it doesn't return anything, then you will need to search to see if it is in a non-standard location, or you might need to specify the full path, such as /usr/local/bin/patch.

Anyway, the basic syntax to apply a patch to a source tree is &quot;patch -p0 < patch_name.diff&quot;, where &quot;patch_name.diff&quot; is the name of your patch, and you are running this command from the root directory of a source tree. (the -p0 part specifies how many directories you strip off the front of the path, depending on where you are starting)

Note: the patch is available for download as a .diff.gz file, so it will need to be uncompressed. However, since it is using gzip, and most browsers transparently support gzip, its possible that the file will be automatically uncompressed as you download or view it.

For more info, try &quot;man patch&quot;.

Here is the result when I did the patch (checking directory, then unzipping first):
Code: 
bash-2.05$ pwd
/home/rick/php-4.1.0/main
bash-2.05$ gunzip rfc1867.c.diff-4.1.x.gz 
bash-2.05$ patch -p0 < rfc1867.c.diff-4.1.x 
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: rfc1867.c
|===================================================================
|RCS file: /repository/php4/main/rfc1867.c,v
|retrieving revision 1.71.2.1
|retrieving revision 1.71.2.2
|diff -u -r1.71.2.1 -r1.71.2.2
|--- rfc1867.c  24 Sep 2001 17:48:22 -0000      1.71.2.1
|+++ rfc1867.c  21 Feb 2002 18:46:45 -0000      1.71.2.2
--------------------------
Patching file rfc1867.c using Plan A...
Hunk #1 succeeded at 15.
Hunk #2 succeeded at 195.
done
bash-2.05$
-------------------------------------------

&quot;Calculus is just the meaningless manipulation of higher symbols&quot;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-unknown F student
 
I don't have a rfc1867.c file in that folder. I have a rfc1867.h. When I run the patch, it tells me that it &quot;can't find file to patch at input line 3&quot;
Then it asks me for a file.
 
Thanks Anikin for starting this thread and moreso thanks Rycamore for posting patch instruction.
You will not believe how much time I spent searching php.net and redhat at the weekend for these (grr at people who think everyone else already knows) :) ***************************************
Party on, dudes!
 
Status
Not open for further replies.

Similar threads

cdlvj
  • Question
PHP Debugging
Replies
0
Views
101
cdlvj
cdlvj
SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
366
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
307
PeDa
PeDa
Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
330
vishvajit
vishvajit
lflynnlrf
  • Locked
  • Question
wordpress/ shortcode/ PHP duplicating code
Replies
1
Views
157
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top