Welcome to WebmasterWorld Guest from 107.20.54.98

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

php fileupload vulnerability

     
11:26 am on Feb 28, 2002 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 17, 2001
posts:409
votes: 0


For people using php, I received today a cert advisory about the upload vulnerability. You might want to consider an upgrade or disabling the uploads before it's too late:)
12:02 pm on Feb 28, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 6, 2000
posts:904
votes: 0


Thanks for that - you don't have a URL handy do you?
12:07 pm on Feb 28, 2002 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 17, 2001
posts:409
votes: 0


Sure I do. Forgot to include it in the first post.
[security.e-matters.de...]
9:14 pm on Mar 2, 2002 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 26, 2000
posts:414
votes: 0


Thanks for the heads up!

I have two servers and was going to do the quick fix for today with the..

file_upload = off in the php.ini file.

My php 4.06 ini has a section for file uploads with the easy fix of changing on to off.

I also have php 4.0.3pl1. It has in the paths section of the ini file the place to adjust the upload file size and a line to adjust the destination directory. But no where can I find the File_upload line to turn it off.

Does any one know if this line should be there in this version ?

I would just do a quick upgrade but there is nothing normal about this servers setup. It seems like who ever set it up the first time changed all the default install directories so a "configure" "make" "install" never goes smoothe.