changed to include the 5.0.3 release that just appeared ;)

not much more then bug fixes

What I find nice is that some of the updates in 5.0 have been important (or perhaps just simple) enough that the developers have ported the code back a level as well. Note, for instance, this statement in the 4.3.10 changelog:

Backported Marcus' foreach() speedup patch from PHP 5.x.

Anybody running 5.0 in a live environment yet? I'm pushing one in the first week of January, 2005.

I was really impressed with the back porting as well.

>> not much more then bug fixes

security issues and that back port for 'foreach' for 4.3.10 got it up on my servers already.

5.0.3 seems to have a bunch of fixes in common functions, though that always depends on your personal view of common. ;)

In case anyone missed it or needs motivation ...

Date: Thu, 16 Dec 2004 14:57:54 +0100
Subject: [SA13481] PHP Multiple Vulnerabilities
From: Secunia Security Advisories <sec-adv@secunia.com>

TITLE:
PHP Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA13481

VERIFY ADVISORY:
[secunia.com...]

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Exposure of sensitive information, Privilege escalation, System access

WHERE:
From remote

SOFTWARE:
PHP 5.0.x [secunia.com...]
PHP 4.3.x [secunia.com...]

DESCRIPTION:
Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.

1) An integer overflow in the "pack()" function can be exploited to cause a heap-based buffer overflow by passing some specially crafted parameters to the function.

Successful exploitation bypasses the safe_mode feature and allows execution of arbitrary code with the privileges of the web server.

2) An integer overflow in the "unpack()" function can be exploited to leak information stored on the heap by passing specially crafted parameters to the function.

In combination with the first vulnerability, this may also allow bypassing of heap canary protection mechanisms.

3) An error within safe_mode when executing commands can be exploited to bypass the safe_mode_exec_dir restriction by injecting shell commands into the current directory name.

Successful exploitation requires that PHP runs on a multi-threaded Unix web server.

4) An error in safe_mode combined with certain implementations of "realpath()" can be exploited to bypass safe_mode via a specially crafted file path.

5) An error within the handling of file paths may potentially lead to file inclusion vulnerabilities. The problem is that "realpath()", which in some implementations truncate filenames, is used in various places to obtain the real path of a file.

6) Various errors within the deserialization code can be exploited to disclose information or execute arbitrary code via specially crafted strings passed to the "unserialize()" function.

7) An unspecified error in the "shmop_write()" function may result in an attempt to write to an out-of-bounds memory location.

8) An unspecified error in the "addslashes()" function causes it to not escape "\0" correctly.

9) An unspecified boundary error exists in the "exif_read_data()" function when handling long section names.

10) An unspecified error within "magic_quotes_gpc" may allow a one-level directory traversal when uploading files.

NOTE: Other potential security issues have also been reported.

SOLUTION:
Update to version 4.3.10 or 5.0.3.
[php.net...]

PROVIDED AND/OR DISCOVERED BY:
1-6) Stefan Esser
6) Martin Eiszner
7-10) Reported by vendor.

ORIGINAL ADVISORY:
[php.net...]

Stefan Esser:
[hardened-php.net...]

Welcome to WebmasterWorld trees

It's worth mentioning that 4.3.10 may break older versions of Zend optimiser and Ioncube loader plus any other simmilar type systems. I found this out the hard way after upgrading, had to install the latest version of the Ioncube loader which they rushed out to fix the problem.

Simon.

Backported Marcus' foreach() speedup patch from PHP 5.x.

Anyone know what this entails, or have a link to the patch?

I had some problems after upgrading to 4.3.10: some scripts sometimes wouldn't work, and load average sometimes jumped up to 15 or higher. Quite vague. So I deleted all the phpa_* files in /tmp , which are created and used by PHP Accelerator. That was 24 hours ago; the server has been running nicely since... (knocks on wood).

Maybe I should look into an alternative for the accelerator that does get updated.

Sorry if this seems naive ... but doing the upgrade in the way I usually do killed my Apache2 httpd daemon. Can someone give me a tip?

Here's what I did (from 4.3.3 to 4.3.10 on RH9):

apachectl stop
cd php-4.3.3
make clean
cd ..
tar -xzvf php-4.3.10.tar.gz
cd php-4.3.10
./configure --with-my-various-options-from-4.3.3-install
make
make install

I then executed the libtool update command as instructed during the installation routine.

Killed me. I had to "make clean" in php-4.3.10 and reinstall php-4.3.3, then I restored my Apache2 binaries, modules, and config files from my daily backup to get the server up again.

The httpd daemon simply wouldn't start, and threw no errors at me.

Note that this isn't an RPM installation (so no rpm -Uvf) and it's not Slackware (so no updatepkg).

I didn't upgrade any Zend stuff, as I don't use it specifically. (The PHP and Zend sites said to upgrade if you used Zend Optimizer.)

From Zend:

Due to incompatibility of the previous version of Zend Optimizer with PHP 4.3.10, it is strongly recommended that owners of Zend Performance Suite, Zend Accelerator, Zend Studio Server, and Zend WinEnabler, upgrade to Zend Optimizer 2.5.7.

Did I err? Is there a 1-2-3 upgrade process other than the above? Thanks for any help.

Any of you guys heard about this?

It looks like PHP has a nasty bug, and one that can cause some potentially wicked problems with unwanted database access. It’s been discovered that PHP versions prior to 4.3.10 or 5.0.3 have problems connected with the way that serialisation and realpath commands are handled to gain escalated privileges. The result is that many web administrators are suffering problems from hackers. Fortunately, the problem has now been fixed.

The solution to the exploit is to upgrade to the latest version of PHP - either 4.3.10 or 5.0.3, depending on which thread you are running. The 4.3.10 build also includes some 5.x bugfixes and features which have been ported backwards.

Hello dreamcatcher. You may have missed reading Message #6 in this thread. Do you have a specific question?

Any of you guys heard about this?

[edited by: engine at 11:04 am (utc) on Jan. 14, 2005]
[edit reason] formatting [/edit]

Thanks trees. So, you covered it already? Oh ok. :)

YVW dreamcatcher, our understanding is that we're supposed to help each other out wherever possible :).

Numerous threads do exist on WWorld and elsewhere containing warnings about upgrading tp PHP 4.3.10, and without doubt PHP.NET will be teeming with discussion about PHP 4.3.11 at the moment.

Apparently the only really urgent concern is to remove/update any phpBBB installation/s you may have, otherwise I'm cautiously confident that most other current PHP security warnings are no more than knee-jerk reactions ;)

Keeping a watchful eyte on WWorld Forum88 seems to be a wise move over the holidays ( [webmasterworld.com...] ). Speaking of holidays, we're shutting down early this morning to allow time for backups and other hooiday precautions.

Merry Crimble to all, and to all a Good Knight!

[edited by: engine at 11:05 am (utc) on Jan. 14, 2005]
[edit reason] formatting [/edit]

Yes, my web hosting company (who are security conscious) have told all account holders that if they don`t upgrade their PHPBB boards, they will have them removed.

They have already banned PHP Nuke and Coppermine Photo Gallery from their servers because of numerous security problems.

:)

Same as my webhosting company too, though I have several domains on different hosting providers. I think I'll be better off making my own board (just kidding ^^). Hey but who knows...

Welcome to WebmasterWorld genusapiens

Thank you very much jatar ^^ its both an honor and my pleasure to be here.