EuroHarmony Community Forums

Archive => EuroHarmony VA => Old Forum => Technical discussions => Topic started by: EHM-0654 Murray on December 21, 2004, 01:45:43 pm

Title: Security holes in PHP 4.X/5.X
Post by: EHM-0654 Murray on December 21, 2004, 01:45:43 pm

Don't know if this is something that we directly need to worry about, or rather something we need to make someone else worry about, but a series a really bad security holes have been found in PHP 4 and 5.

I found out because I look after a PHPbb for my employer and saw the security post there telling everyone to upgrade to the latest PHP4 (or 5). Given the EHM forum uses PHP, thought I'd warn...

Anyhow, here's the body of my post to the PHPbb I look after:

Quote

Posted elsewhere by me
Not sure how many of our users this will affect, but given the software we use for the forum relies on PHP, we thought we would post a warning here just in case.

To quote from The Inquirer article (Major bug in PHP opens database security hole ([url]http://www.theinquirer.net/?article=20329[/url])):

"A serious bug in the popular PHP development language can leave databases wide open to intrusion if the proper security steps aren't taken.

A posting over the weekend to the development homepage of forum software phpBB highlighted the issue, which had already been picked up by security consultants Secunia on Thursday.

The exploit, which affects php versions prior to 4.3.10 or 5.0.3, uses errors in the way that serialisation and realpath commands are handled to gain escalated privileges, bypass some security restrictions and compromise a vulnerable system. Many web administrators are suffering problems from hackers that have been quick to do what damage they can - we know that Inq favourite the Ace of Spodes has been having troubles.

The solution to the exploit is to upgrade to the latest version of php - either 4.3.10 or 5.0.3, depending on which thread you are running. The 4.3.10 build also includes some 5.x bugfixes and features which have been ported backwards.

Our very own barmy Argentinian, Fernando Cassia, reports that the development tool Zend Optimizer is broken by 4.3.10, so any budding programmers will want to patch up Zend to the latest version."

Links:

PHPbb security article regarding this issue ([url]http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046[/url])
Secunia advisory regarding this issue ([url]http://secunia.com/advisories/13481/[/url])
PHP development website ([url]http://www.php.net/[/url])

Title: Security holes in PHP 4.X/5.X
Post by: EHM-0948 Bruno on December 21, 2004, 03:16:11 pm

Hi Murray,

First, thank you for your concern about it.

Well, since i am here, i never saw any problems with the security on this site. We will be "with our eyes open" on that matter.

Regards,

Title: Security holes in PHP 4.X/5.X
Post by: EHM-0005 Maarten on December 22, 2004, 11:06:52 am

I´ll talk with our hosting provider to see if this bug affects us too.

Thank you for letting us know