1

Topic: PHP Vulnerabilities

Anybody seen this:
http://developers.slashdot.org/develope … mp;tid=172

Seems to list a lot of bulletin board systems.

Re: PHP Vulnerabilities

It is necessary to understand that these strings can exploit a
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().

luckily I'm using explode/implode/substr for most of my cookie stuff wink

Re: PHP Vulnerabilities

well PunBB uses unserialize() so it could be at risk...

Re: PHP Vulnerabilities

Not a lot I can do about that other than urge people to upgrade their PHP environments. I do however believe that the unserialize thing is quite difficult to exploit. Especially since they didn't release a proof of concept (which is of course a good thing!).

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: PHP Vulnerabilities

oh ,come accross.

Re: PHP Vulnerabilities

my host is updating today big_smile

7

Re: PHP Vulnerabilities

Just a few quick words ...

I guess I should consider myself lucky.  My ISP seemed to think I was lazy, or just plain stoopid.

I went *years* without a single hack attempt on our server.  In the span of one month, we got hacked by the same $%^%$#@!! kiddie licker 4 times.  I wound up getting a good friend of mine to help me update our forums, due to problems I had of my own trying to update it.  Thanks to him, I should be ok now. :>)

In a word, I cannot *wait* to get away from phpbb.  When we update our website, it will be with a shiney new version of PunBB.

Kudos Rickard and Paul.

8

Re: PHP Vulnerabilities

punbb = great

phpbb =  not so great

9

Re: PHP Vulnerabilities

punbb = great

phpbb = sux

10

Re: PHP Vulnerabilities

This from ISC:

Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.

11

Re: PHP Vulnerabilities

phpbb who?  :>)

12

Re: PHP Vulnerabilities

If anyone is running Debian Sarge, PHP 4.3.10 was just released.

I can now breath a sigh of relief :)