News:

SMF 2.0.19 has been released! Please update. Read more.

Main Menu

PHP Vulnerabilities (Critical Update/Patch)

Started by Peter Duggan, December 21, 2004, 07:57:30 PM

Previous topic - Next topic

Fizzy

Well I would have thought that the most urgent would be an upgrade to PHP 4.3.10 together with the required Zend upgrade  ;)
"Reality is merely an illusion, albeit a very persistent one." - A.E.


forumite

What should the permissions be set to for the two patch files? In the patch they're set to 644, but the existing two files on my server are set to 777.

TIA

Tom

[Unknown]

Quote from: rvforumite on March 02, 2005, 05:09:04 PM
What should the permissions be set to for the two patch files? In the patch they're set to 644, but the existing two files on my server are set to 777.

It doesn't matter.

Why chmod 777 is NOT a security risk

-[Unknown]

MrFlicks

Quote from: Peter Duggan on December 21, 2004, 07:57:30 PM
A number of vulnerabilities have been reported in PHP (the language in which SMF is written) which may allow attackers to compromise your site and/or server. While this is not SMF's fault, and indeed affects a huge number of respected PHP programs, patching it by upgrading PHP (the preferred method) or applying our own SMF patch is regarded as a critical update.

To patch these vulnerabilities in PHP completely, you should upgrade (or ask your host to upgrade) PHP to version 4.3.10 or 5.0.3.  However, be aware of a problem some people have encountered after upgrading PHP.

If this is not possible for some reason (or cannot be done immediately), you should download and apply the security patch available in the package manager, or extract and upload the attached zip file (for RC2 - a separate file is available for Charter Members.) The files on the downloads page have already been updated so, if you downloaded them after this post was made, you're fine already.  This patch is not required if your PHP version has been upgraded, although it will not cause any problems if installed.

We're still looking into the repercussions of some of the security holes found, but are committed to dealing with problems of this nature promptly, whatever the cause.

Regards,
Simple Machines

Would I still need this say for TVWorlds.com or is this concerning an earlier version?
MrFlicks
Double T Teds ®™ 6028 Cartoon Characters www.doubletteds.com

www.tvworlds.com/forum (My SMF Forum)

www.HostTed.net www.AffiliatTed.com www.TransactTed.com www.Tted.co.uk

Trekkie101


MrFlicks

MrFlicks
Double T Teds ®™ 6028 Cartoon Characters www.doubletteds.com

www.tvworlds.com/forum (My SMF Forum)

www.HostTed.net www.AffiliatTed.com www.TransactTed.com www.Tted.co.uk

paulanator

Thanks for the updates, my site was hacked too.

Gary

This topic hasnt been posted in for nearly two years...

This patch was for 1.0 RC2. It is included by default..

-AwwLilMaggie
Gary M. Gadsdon
Do NOT PM me unless I say so
War of the Simpsons
Bongo Comics Fan Forum
Youtube Let's Plays

^ YT is changing monetisation policy, help reach 1000 sub threshold.

SBGamesCone

Quote from: AwwLilMaggie on January 12, 2007, 10:50:15 AM
This topic hasnt been posted in for nearly two years...

This patch was for 1.0 RC2. It is included by default..

-AwwLilMaggie

Is there a new vulnerability that is out and being exploited?

http://www.surmunity.com/showthread.php?p=232560#post232560 [nofollow]

Fizzy

What makes him think SMF is to blame? The fact that wordpress was compromised make me suspect that this is not SMF related at all.

I find it quite invidious when people claim "SMF hacked" without even producing a single piece of evidence to show that it was to blame.
"Reality is merely an illusion, albeit a very persistent one." - A.E.


Advertisement: