[WBEL-users] Severe PHP vulnerability??
Johnny Hughes
mailing-lists@hughesjr.com
Sat, 18 Dec 2004 17:14:22 -0600
On Sat, 2004-12-18 at 16:18 -0500, jk42@bitbuckets.com wrote:
> Hello all,
>
> By now I'm sure everyone is aware of the major vulnerability with PHP
> versions prior to 4.3.9 or 5.0.2. There are actually a number of
> different problems, but all (except one, which is currently being
> exploited) are only problems for hosts which allow users to create their
> own PHP pages. The one remotely exploitable attack, which deals with the
> unserialize() call (and on Athlon64 systems has been demonstrated to
> execute shell code with the privileges of the web server process), is
> widely used.
>
> http://www.hardened-php.net/advisories/012004.txt
>
> What are other WBEL users doing to protect themselves? The only updates I
> have found are source code downloads of PHP 4.3.10 or 5.0.3, and from what
> I hear it's a royal pain to recomple PHP and all the drivers. WBEL has
> version 4.3.2.
>
> Does anyone know of a solution to this, while we wait for RedHat to
> release an official RHEL fix? Does someone know where the unserialize
> problem is and how to fix it - perhaps I could backport the fix to the
> 4.3.2 WBEL packages. I'll do some research and let everyone know.
These packages are released, but unsupported for RHEL3:
http://people.redhat.com/jorton/Taroon-php/