Date: 20 Feb 2003 16:28:43 -0000 From: Chris Shenton <chris@Shenton.Org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/48486: PHP 4.3.0 serious security hole, upgrade to 4.3.1 Message-ID: <20030220162843.3400.qmail@PECTOPAH.shenton.org>
next in thread | raw e-mail | index | archive | help
>Number: 48486 >Category: ports >Synopsis: PHP 4.3.0 serious security hole, upgrade to 4.3.1 >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Feb 20 09:10:18 PST 2003 >Closed-Date: >Last-Modified: >Originator: Chris Shenton >Release: FreeBSD 5.0-CURRENT i386 >Organization: >Environment: System: FreeBSD Pectopah.shenton.org 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Feb 19 17:08:39 EST 2003 chris@Pectopah.shenton.org:/usr/obj/usr/src/sys/GENERIC i386 >Description: http://www.php.net/release_4_3_1.php Anyone with access to websites hosted on a web server which employs the CGI module may exploit this vulnerability to gain access to any file readable by the user under which the webserver runs. A remote attacker could also trick PHP into executing arbitrary PHP code if attacker is able to inject the code into files accessible by the CGI. This could be for example the web server access-logs. >How-To-Repeat: >Fix: upgrade to php-4.3.1 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030220162843.3400.qmail>